Unpatched Oracle WebLogic Servers At Risk Of Takeover By Cryptojackers

Oracle WebLogic Server OS Command Injection Flaw Still Under Attack

Published on June 11th, 2024

Oracle WebLogic Server, a leading application server for building and deploying enterprise applications, has recently been found vulnerable to an OS command injection flaw.

This critical vulnerability is actively being exploited by malicious actors, posing significant security risks to affected systems.

Step 1: Introduction To The Security Flaw

On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting the Oracle WebLogic Server to the Known Exploited Vulnerabilities (KEV) catalog.

This decision was based on evidence of active exploitation of the flaw.

Step 2: Details Of The Vulnerability

The vulnerability, tracked as CVE-2017-3506 with a CVSS score of 7.4, is an operating system (OS) command injection flaw.

It can be exploited to gain unauthorized access to vulnerable servers, potentially allowing attackers to take complete control of them.

Step 3: Technical Description

CISA explained that the Oracle WebLogic Server, a component of the Fusion Middleware suite, contains an OS command injection vulnerability.

This flaw enables attackers to execute arbitrary code via specially crafted HTTP requests that include malicious XML documents.

Step 4: Nature Of Exploitation

While specific details of the attacks were not disclosed, it is known that the China-based cryptojacking group known as the 8220 Gang (also referred to as Water Sigbin) has exploited this vulnerability.

Since early last year, they have been using it to compromise unpatched devices, incorporating them into a crypto-mining botnet.

Step 5: Recent Exploit Reports

A recent report by Trend Micro highlighted that the 8220 Gang has exploited vulnerabilities in the Oracle WebLogic server, specifically CVE-2017-3506 and CVE-2023-21839.

They launch a cryptocurrency miner filelessly in memory using a shell or PowerShell script, depending on the targeted operating system.

Step 6: Methods And Techniques Used

Security researcher Sunil Bharti noted that the gang employed obfuscation techniques such as hexadecimal encoding of URLs and using HTTP over port 443 for stealthy payload delivery.

The PowerShell script and the resulting batch file involved complex encoding, hiding malicious code within seemingly benign script components using environment variables.

Step 7: Recommendations For Mitigation

Due to the active exploitation of vulnerabilities CVE-2024-1086 and CVE-2024-24919, CISA recommends that federal agencies apply the latest security patches by June 24, 2024.

This action is crucial to protect networks against potential threats.

Step 8: Key Points Summary

  • Vulnerability Identification: CVE-2017-3506
  • Impact: Unauthorized access and control of servers
  • Exploited by: 8220 Gang (Water Sigbin)
  • Exploitation Techniques: OS command injection via malicious HTTP requests
  • Current Exploitation Activity: Active, including crypto-mining botnet integration
  • Mitigation Deadline: June 24, 2024

By following these steps, organizations can better understand and address the critical vulnerabilities affecting Oracle WebLogic Server, ensuring enhanced cybersecurity measures are in place.