Exploit published te December makes cracking unpatched Oracle servers effortless.
by Sean Gallagher – Jan 9, 2018 Five:12 pm UTC
Ter a report published on January 7 by SANS Technology Institute, Morphus Labs researcher Renato Marinho exposed what shows up to be an ongoing worldwide hacking campaign by numerous attackers against PeopleSoft and WebLogic servers that leverages a Web application server vulnerability patched by Oracle late last year.
Thesis attackers aren’t stealing gegevens from victims, however—at least spil far spil anyone can tell. Instead, the exploit is being used to mine cryptocurrencies. Te one case, according to analysis posted today by SANS Dean of Research Johannes B. Ullrich, the attacker netted at least 611 Monero coins (XMR)—$226,000 dollars’ worth of the cryptocurrency.
The attacks show up to have leveraged a proof-of-concept exploit of the Oracle vulnerability published ter December by Chinese security researcher Lian Zhang. Almost instantaneously after the proof of concept wasgoed published, there were reports of it being used to install cryptominers from several different locations—attacks launched from servers (some of them likely compromised servers themselves) hosted by Digital Ocean, GoDaddy, and Athenix.
“The victims are distributed worldwide,” wrote Ullrich. “This isn’t a targeted attack. Once the exploit wasgoed published, anybody with limited scripting abilities wasgoed able to participate te taking down WebLogic/PeopleSoft servers.”
Te the case of the attack documented by Marinho, the attacker installed a legitimate Monero mining software package called xmrig on 722 vulnerable WebLogic and PeopleSoft systems—many of them running on public cloud services, according to Ulrich. More than 140 of those systems were ter the Amazon Web Services public cloud, and smaller numbers of servers were on other hosting and cloud services—including toughly 30 on Oracle’s own public cloud service.
The exploit code makes scanning for vulnerable systems elementary, so the entire universe of publicly exposed, unpatched Oracle Web application servers could quickly fall victim to thesis and other attacks. On the bright side, some of thesis surreptitious mining efforts were detected relatively quickly because the script used to “druppel” the mining contraption also killed the “java” process on the targeted servers—essentially shutting down the application server and drawing quick attention from administrators.
The installer used ter the documented Monero attack wasgoed a elementary bash script. It issues guidelines to seek out and kill other blockchain miners that may have arrived before it, and it sets up a CRON job to download and launch the miner contraption ter order to keep its foothold intact.
Ullrich warned that victims shouldn’t simply end their response to thesis intrusions by patching their servers and removing the mining software. “It is very likely that more sophisticated attackers used this to build up a persistent foothold on the system. Te this case, the only ‘persistence’ wij noticed wasgoed the CRON job. But there are many more, and more difficult to detect, ways to build up persistence.”