Attackers target a newly patched vulnerability or acle WebLogic that allows them to execute code of their choice, including malware that integrates servers into a botnet that steals passwords and other sensitive information.
WebLogic is a Java business application that supports various databases. WebLogic servers are a coveted prize for hackers, who often use them to mine cryptocurrency, install ransomware, or as a foray into other parts of a corporate network. Shodan, a service that scans the Internet for various hardware or software platforms, found approximately 3,000 servers running the middleware application.
CVE-2020-14882, when tracking vulnerability, is a critical vulnerability that Oracle patched in October
. It allows attackers to execute malicious code over the Internet with little effort or skill and without authentication. The operating code in operation has become Publicly available eight days after the patch was released by Oracle.
Juniper Networks researcher Paul Kimayong says hackers are actively using five different attack variants to exploit servers still vulnerable to CVE-2020-14882. Among the variants, there is one that installs the DarkIRC bot. Once infected, the servers are part of a botnet that can install the malware of its choice, mine cryptocurrencies, steal passwords, and carry out denial of service attacks. The DarkIRC malware was available for purchase in the underground markets for $ 75 in October and is likely still selling today. PhD student Tolijan Trajanovski has more details here.
Related Downloads:
Other variant exploits install the following payloads:
- Cobalt Strike
- Perlbot
- Meterpreter
- Mirai
Attacks are just the latest to target this easily exploited vulnerability. One day after the exploitation code was posted online, researchers from Without Yes Fast 7 said they were seeing hackers opportunistically attempting to exploit CVE-2020-14882. Back then, however, attackers weren’t trying to exploit the vulnerability to install malware, only to test if a server was vulnerable.
CVE-2020-14882 affects versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 of WebLogic. Anyone using any of these versions should immediately install the patch released by Oracle in October. Users should also update to CVE-2020-14750, a separate but related vulnerability that Oracle fixed in an emergency update two weeks after the release of a patch for CVE-2020-14882.