Crooks exploit Oracle WebLogic flaw to deliver Sodinokibi Ransomware

Pierluigi Paganini May 01, 2019

Threat actors are exploiting a recently patched critical Oracle WebLogic Server vulnerability to deliver the Sodinokibi ransomware to organizations.

Threat actors are delivering a new piece of malware, tracked as
Sodinokibi, by exploiting a recently patched Oracle WebLogic Server vulnerability.

Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation, it is used by numerous applications and web enterprise portals based on Java technology. The flaw initially received the identifier CNVD-C-2019-48814.

An attacker could exploit the vulnerability to remotely execute commands without authorization by sending a specially crafted HTTP request.

On April 26, Oracle addressed the flaw with the release of an out-of-band update.

The threat was detected and analyzed by several firms (i.e. South Korean EST Security, Cisco’s Talos), independent researchers, intelligence group.

“Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10.” reads the analysis published by Cisco Talos.” Attackers have been making use of this exploit in the wild since at least April 17. “

Sodinokibi ransomware

Crooks used PowerShell commands to download and execute malicious payloads, they demanded a ransom that ranges from $1,500 worth of BitCoin up to $2,500. The ransom doubles if the victims do not pay it within a specified number of days.

Talos started seeing the first stages of the Sodinokibi attacks — the attackers first looked for exploitable WebLogic servers —

Since April 25, one day before Oracle released security patches, the experts started observing Sodinokibi ranomware infections.

Talos also noted that threat actors were exploiting the flaw to deliver the popular Gandcrab ransomware.

“We find it strange the attackers would choose to distribute additional, different ransomware on the same target. Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab,” continues Talos researchers.

Experts discovered that the CVE-2019-2725 has been also exploited to deliver cryptocurrency miners and other types of malware. Researchers believe it has also likely been exploited in targeted attacks.

“Due to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects widespread attacks involving CVE-2019-2725 ” concludes Talos.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – sodinokibiransomware, Weblogic)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment