Pierluigi Paganini November 07, 2020

At least one ransomware operator appears to have exploited the recently patched CVE-2020-14882 vulnerability affecting Oracle WebLogic.

At least one ransomware operator appears is exploiting the recently patched CVE-2020-14882 vulnerability in Oracle WebLogic.

At the end of October, threat actors have started scanning the Internet for servers running vulnerable installs of Oracle WebLogic in the attempt of exploiting the CVE-2020-14882 flaw.

The CVE-2020-14882 can be exploited by unauthenticated attackers to take over the system by sending a simple HTTP GET request.

The vulnerability received a severity rating 9.8 out of 10, it was addressed by Oracle in this month’s release of Critical Patch Update (CPU).

The issue affects versions of Oracle WebLogic Server are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.

The flaw was discovered by the security researcher Voidfyoo from Chaitin Security Research Lab, it was addressed in Oracle’s October 2020 Critical Patch Update.

In early November, Oracle issued an out-of-band security update to address another critical remote code execution (RCE) vulnerability, tracked as CVE-2020-14882.

Renato Marinho, a security researcher at Morphus Labs and SANS ISC handler reported that the WebLogic honeypots he set up were targeted by a large number of scans for CVE-2020–14882.

“Starting late last week, we observed a large number of scans against our WebLogic honeypots to detect if they are vulnerable to CVE-2020–14882.” reads the analysis published by the expert. “CVE-2020–14882 was patched about two weeks ago as part of Oracle’s quarterly critical patch update. In addition to scans simply enumerating vulnerable servers, we saw a small number of scans starting on Friday (Oct. 30th) attempting to install crypto-mining tools.”

The expert spotted a small number of scans starting on October 30 attempting to install crypto-mining tools.

Over the weekend, the experts uncovered a campaign targeting the same vulnerability and leveraging a chain of obfuscated PowerShell scripts to fetch a Cobalt Strike payload.

Cisco Talos Q4 2020 CTIR report revealed that 66% of all ransomware attacks in Q4 involved the use of Cobalt Strike, for this reason, experts speculate that threat actors were exploiting the CVE-2020–14882 to deploy this specific kind of malware.

The only way to prevent these attacks is to apply the security updates to the WebLogic installs as soon as possible. The analysis published by Morphus Labs also includes Indicators of Compromise (IoCs) for these attacks.

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2020-14882)

[adrotate banner=”5″]

[adrotate banner=”13″]