Hackers Found Exploiting Oracle WebLogic RCE Flaw to Spread Ransomware
- April 18, 2019
- Posted by: Mohamed Atef
- Category: News
ransomware attack oracle weblogic server
Taking advantage of newly disclosed and even patched vulnerabilities has become common among cybercriminals, which makes it one of the primary attack vectors for everyday-threats, like crypto-mining, phishing, and ransomware.
As suspected, a recently-disclosed critical vulnerability in the widely used Oracle WebLogic Server has now been spotted actively being exploited to distribute a never-before-seen ransomware variant, which researchers dubbed “Sodinokibi.”
Last weekend, The Hacker News learned about a critical deserialization remote code execution vulnerability in Oracle WebLogic Server that could allow attackers to remotely run arbitrary commands on the affected servers just by sending a specially crafted HTTP request—without requiring any authorization.
To address this vulnerability (CVE-2019-2725), which affected all versions of the Oracle WebLogic software and was given a severity score of 9.8 out of 10, Oracle rolled out an out-of-band security update on April 26, just a day after the vulnerability was made public and several in-the-wild attacks were observed.
According to cybersecurity researchers from Cisco Talos’ threat research team, an unknown group of hackers has been exploiting this vulnerability since at least April 25 to infect vulnerable servers with a new piece of ransomware malware.
Sodinokibi is a dangerous ransomware variant which has been designed to encrypt files in a user’s directory and then delete shadow copy backups from the system in an effort to prevent victims from recovering their data without paying a ransom.
No Interaction Required to Deploy Ransomware
Since attackers are leveraging a remote code execution vulnerability in the WebLogic Server, unlike typical ransomware attacks, deploying the Sodinokibi ransomware requires no user interaction.
“Historically, most varieties of ransomware have required some form of user interaction, such as a user opening an attachment to an email message, clicking on a malicious link, or running a piece of malware on the device,” researchers explain in a blog post.
“In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses.”