This article is more than 1 year old

If you're using Oracle's WebLogic Server, check for security fixes: Bug exploited in the wild to install ransomware

Big Red rushes out software patch as ransomware scumbags move in

IT admins overseeing Oracle's WebLogic Server installations need to get patching immediately: miscreants are exploiting what was a zero-day vulnerability in the software to pump ransomware into networks.

The Cisco Talos security team said one its customers discovered it had been infected via the bug on April 25, though the exploit is believed to have been kicking around the web since April 17. The programming blunder at the heart of the matter is a deserialization vulnerability that can be exploited to execute malicious code on a remote WebLogic server with no username or password needed. A hacker just needs to be able to reach the at-risk service across the internet or network to infiltrate it.

"WebLogic's design makes it particularly prone to these types of vulnerabilities," said Johannes Ullrich, dean of research at the SANS Technology Institute, in an advisory this week. "Do not expose WebLogic to the Internet if you can help it. I doubt that this was the last such vulnerability."

The flaw was first identified by Chinese and Taiwanese researchers, and the first official alert was sent out by China's National Vulnerability Database and assigned CVE-2019-2725. Oracle rushed out an out-of-band patch on Friday, April 26, rating it 9.8 out of 10 on the severity scale and urged everyone to get patching – although Big Red being what it is, you'll need a suitable support contract to get the fix, it appears.

As Ellison and Co put it: "Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

"Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions."

A brand new nasty

According to the Talos team, miscreants were spotted using the WebLogic flaw to inject ransomware called Sodinokibi (aka REvil) into at least one corporate network. Once they were able to execute code on a vulnerable system, the hackers pulled the file-scrambling malware down from two IP addresses – 188.166.74[.]218 and 45.55.211[.]79. The former is a known host for malicious software, though the latter appears to be linked to a legit website in Chile that was pwned to act as a launch pad for the attack.


Brit Police Federation cops to ransomware attack on HQ systems


Specifically, the criminals used PowerShell on vulnerable Windows-based boxes to download down a file dubbed radm.exe, which contained the ransomware. Once run, it disabled the default Windows backup mechanisms, to make recovery harder, mass-encrypted documents, and then opened a window demanding a payment in Bitcoin that would double if not paid within three days.

Eight hours after the initial attack, the malware operators returned to download and run a second piece of malware, Gandcrab v5.2, which was release on February 19 this year.

"We find it strange the attackers would choose to distribute additional, different ransomware on the same target," said Team Talos. "Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab."

The team – Pierre Cadieux, Colin Grady, Jaeson Schultz, and Matt Valites – said Talos was able to help its customer clean up the infection, but warned that many more are likely to come. Given the large number of WebLogic servers out there, this attack vector is bound to be reused. ®

More about


Send us news

Other stories you might like