Attackers Exploiting Oracle Weblogic Server Vulnerability to Encrypt User Data
In order to install a new variant of a malware known as “Sodinokibi”, con men are taking advantage of the remote code execution vulnerability in Oracle Weblogic Server.
The vulnerability which has been recently discovered on versions
10.3.6.0, 22.214.171.124 of Oracle WebLogic Server, allows people with HTTP access to execute the attack without any verification.
Reportedly, a patch has been issued by the computer sofyware company on April 26.
The foundation of the attacks was laid around April 25 and it was on the next day, i.e., April 26, the hackers secured connections with multiple HTTP servers which were vulnerable, as per the findings of Talos Investigation.
The vulnerability has been exploited by the hackers to download the malware copies from servers administered by con men and to corrupt various legitimate sources and make alterations to repurpose it.
“Cisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136 and the attackers were ultimately successful at encrypting a number of customer systems.”
How does the ransomware infects?
It begins with the HTTP POST request which carries certutil command to execute the infectious files upon downloading.
As soon the malicious process starts, it triggers the vssadmin.exe utility, which on being executed assists Windows in generating some sort of backup, either automatic or manual.
After this, the ransomware attempts to hinder the recovery process by terminating backup mechanism.
Users can reach the security alert posted by Oracle and are advised to fix the forementioned (CVE-2019-2725) vulnerability.