Attackers are using a critical vulnerability in the Oracle WebLogic Server to install ransomware, and began exploiting the bug before Oracle issued a patch for it last week. The attacks represent one of the few examples of attackers using active exploits, rather than social engineering, in order to lock up victims’ machines.
The attacks are targeting a weakness in WebLogic, Oracle’s popular application server. The bug is about as serious as they come, as a remote attacker can exploit it without any authentication. The details of the vulnerability have been public since April 26, when Oracle released an emergency security fix for it. The flaw lies in the web services component of the WebLogic Server and is trivial to exploit.
“This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” Oracle’s advisory says.
While the Oracle patch came out on April 26, attackers were using it before that, possibly since at least April 17. On April 25, attackers began using the vulnerability for the initial stage of a ransomware operation against an unnamed organization, researchers at Cisco’s Talos Intelligence Group say. The next day, the attackers connected to a separate WebLogic server in the same organization and exploited the vulnerability. The next step was to install the ransomware, known as Sodinokibi, on the compromised server. Usually, attackers rely on victims to open malicious attachments in an email or visit a site that’s serving an exploit through a drive-by download in order to install ransomware. This operation was different.
“In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses 188.166.74[.]218 and 45.55.211[.]79. The 188.166.74[.]218 IP address is also home to a pair of other malicious domains unrelated to this ransomware attack: arg0s-co[.]uk, which is likely a phishing domain, and projectstore[.]guru, a domain with bogus PDF-related Google search results,” an analysis of the attack by Pierre Cadieux, Colin Grady, Jaeson Schultz and Matt Valites of Talos says.
“The other IP, 45.55.211[.]79, hosts a pair of legitimate Chilean domains, and appears to have been infected and repurposed by the attackers. The attackers were ultimately successful at encrypting a number of customer systems during this incident.”
Once the ransomware is installed, it then downloads a couple of other files and utilities. One of these is used to try and stop victims from recovering their encrypted files after the infection.
“This action is a common tactic of ransomware to prevent users from easily recovering their data. It attempts to delete default Windows backup mechanisms, otherwise known as "shadow copies," to prevent recovery of the original files from these backups,” the Talos analysis says.
“The ransom note, in this case, directs victims to either a .onion website on the Tor network or on the public web at the domain decryptor[.]top, registered on March 31 this year. With Sodinokibi, each encrypted system sees a distinct encrypted file extension.”
In the operation analyzed by Talos, the attackers later tried to exploit the WebLogic vulnerability again in order to install the infamous Gandcrab ransomware.
Both Oracle and Talos are recommending that organizations install the patch for WebLogic as soon as possible, given the ease of exploitation.