Rather than needing to phish, attackers are simply “causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses”
Oracle WebLogic Server users need to patch their systems urgently, with a critical remote code execution vulnerability being widely exploited in the wild, including for delivery of a previously unseen ransomware variant, cybersecurity researchers say.
Oracle broke with its normal patch cycle to release an emergency patch on April 26. The vulnerability has a “critical” CVSS score of 9.8, indicating how severe the issue is.
The exploit allows attackers to remotely control victim hosts and execute code, install persistence and laterally move throughout the network: “Exploit code has been released into the public domain and we have observed active attacks against our customer base using this vulnerability”, Alert Logic said of the vuln: CNVD-C-2019-48814.
The Oracle WebLogic vulnerability Can be Exploited over a Network without the need for a Username and Password.
Alert Logic blamed “flawed implementation in deserializing input information”, meaning an attacker can send a malicious HTTP request to execute commands remotely and without authorisation. Oracle credited “Badcode” of China’s Knownsec 404 Team and eight other Chinese cybersecurity researchers for the find; the severity of which was matched by ease of execution for those seeking to exploit the zero day.
“Oracle WebLogic wls9_async and wls-wsat components trigger deserialization remote command execution vulnerability” the Chinese team wrote on Medium, adding: “This vulnerability affects all Weblogic versions (including the latest version) that have the wls9_async_response.war and wls-wsat.war components enabled.”
Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products too.
Attacks using the recently-disclosed Oracle WebLogic vulnerability include the delivery of a previously unseen ransomware variant dubbed “Sodinokibi”, Cisco Talos security researchers said in a Tuesday analysis of the vulnerability.
Talos said: “Historically, most varieties of ransomware have required some form of user interaction, such as a user opening an attachment to an email message, clicking on a malicious link, or running a piece of malware on the device. In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses”
“For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2535708.1” Oracle said.
It noted that patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of its Lifetime Support Policy.