Oracle WebLogic Exploit

vSOC SPOT Report: Oracle WebLogic

Overview

On July 18, 2018, Oracle released a routine patch for an Oracle WebLogic Server remote code execution vulnerability (CVE-2018-2893). This WebLogic vulnerability can allow an unauthenticated attacker to remotely compromise and take over the Oracle WebLogic server. CVE-2018-2893 received a “critical” rating and a 9.8 out of 10 CVSSv3 score because of the ease of exploitation by a remote unauthenticated attacker. Within three days of announcing the vulnerability publicly and releasing the patch, proof of concept code was available online to exploit the vulnerability. A sharp uptick in scanning and exploitation attempts has been observed by many security research teams as different threat actors modify their campaigns to use the newly public exploit code.

Technical Overview

Details about the vulnerability were not made public until after Oracle released patches for the bug on July 18, 2018, but due to several Proof-Of-Concept (POC) exploits that were posted to various websites shortly after the patch was released, the automation of the vulnerability became widespread.

There are currently two groups being monitored that have automated exploits and are utilizing them at scale in order to gain control of unpatched WebLogic servers. The exploit allows an unauthenticated attacker to gain access to the server, typically over port 7001, in order to drop and execute a .jar file which unpacks and executes code to begin dropping additional files onto the system including Bill Gates DDOS malware, crypto-miner XMRig Monero, and other backdoors.

Versions of Oracle WebLogic that are affected by this vulnerability are:

  • 10.3.6.0
  • 12.1.3.0
  • 12.2.1.2
  • 12.2.1.3

Oracle has not confirmed whether older unsupported versions are affected but they should be assumed vulnerable.

Potential Impact

The most common result of the exploitation of this vulnerability, like several other recently identified vulnerabilities in Oracle WebLogic, is to install cryptocurrency miners on the exploited servers. Attackers use the exploited server’s CPU resources to mine cryptocurrency unbeknownst to the owners. However, data theft is also a very real possibility since this exploitation allows the attacker to take over the Oracle WebLogic server.

What You Should Do

If you have an affected version of Oracle WebLogic running in your environment, you should immediately apply the newly released patch for this vulnerability (Oracle July 2018 CPU) which was released July 18, 2018. It is also recommended that you block external traffic on port 7001 until you are able to deploy the update. This port has been identified with several active exploitation campaigns. Deploying the Oracle WebLogic patch is the most complete fix for this vulnerability.

If you are running earlier, unsupported versions of Oracle WebLogic, upgrading to a current, supported version that is receiving updates is a best practice to protect against this and future vulnerabilities. While Oracle has not confirmed any end-of-life versions of WebLogic are vulnerable, it is safest to assume earlier versions are also affected.

Known IOCs

  • 121.18.238.56 AS4837 CHINA UNICOM China169 Backbone
  • 103.99.115.220 AS21859 Zenlayer Inc
  • 5.8.54.27 Petersburg Internet Network ltd
  • 185.159.128.200 IT Outsourcing LLC
  • luoxkexp.com
  • md5 hash – 2f7df3baefb1cdcd7e7de38cc964c9dc

Supporting Information

ERP

vSOC Threat Advisory – ERP Attacks on the Rise

US-CERT released an advisory July 25, 2018 regarding an uptick of activity by attackers exploiting Enterprise Resource Planning (ERP) applications. This advisory was in response to a recently released Digital Shadows report titled, ERP Applications Under Fire: How cyberattackers target the crown jewels. In their report, Digital Shadows in partnership with Onapsis, provides new research and intelligence about the motives and techniques used by nation-state and hacktivist attackers against ERP systems.

ERP systems include the following platforms and typically hold the most sensitive information, or “crown jewels” that an organization has.

  • Human Capital Management (HCM)
  • Supply Chain Management (SCM)
  • Customer Relationship Management (CRM)
  • Product Lifecycle Management (PLM)
  • Supplier Relationship Management (SRM)
  • Process Integration (PI)
  • Manufacturing & Operations (MO)
  • Asset Lifecycle Management (ALM)
  • Business Intelligence (BI)

The key findings from the Digital Shadows report are:

  • Hacktivist groups are actively attacking ERP systems to infiltrate and disrupt target organizations.
  • Cybercriminals have more sophisticated attacks that target “behind-the-firewall” ERP applications.
  • Nation-state actors are exploiting ERP systems to access sensitive or classified information.
  • Over the last 3 years, there has been a 160% increase in interest in exploits for SAP and SAP HANA applications in dark web and cybercriminal forums.
  • Most modern ERP attacks are leveraging unpatched and misconfigured applications.
  • Prevalence of cloud and mobile solutions has increased the organization’s attack surface. Digital Shadows has identified more than 17,000 SAP and Oracle ERP applications directly connected to the Internet.
  • Leaked information is also a major issue, with more than 500 SAP configuration files identified on insecure repositories accessible from the Internet.

The complexities of ERP software platforms often leads to customers that struggle to apply security patches in a timely manner. Some of the main characteristics are:

  • Complex system architecture
  • Customized functionality
  • High number of interfaces and integrations
  • Proprietary protocols
  • Detailed and fine-grained access controls
  • No tolerance for downtime
  • Lack of knowledge and processes for ERP security
  • Reliance on third parties to support ERP platforms

The bottom line with ERP exploits and security is there are 7 main areas that customers need to focus on to improve their security posture.

  1. Identification and categorization of your business systems: It is essential to understand which systems are critical to your organization. Criticality, however, is more than just the amount of downtime you can tolerate from the system. It also includes the value of the system and the value of the data the system processes or stores.
  2. Vulnerability Management: This is not just conducting scans. Vulnerability management is the cyclical processes and procedures of identifying, categorizing, prioritizing, and remediating vulnerabilities in your software.
  3. Trained Resources: It is imperative that you employ (or contract) trained security resources that know your ERP and SAP platforms and are responsible for configuring, monitoring, and modifying the security parameters of each system.
  4. Architecture: Thousands of ERP and SAP applications are internet-accessible. Evaluate your architecture to identify which systems need this level of access to the Internet and which do not. Reducing your footprint will result in a smaller attack surface for the bad guys.
  5. Situational Awareness: Researchers have identified the inadvertent exposure of technical details and credentials for ERP and SAP systems by employees, contractors, and other third-parties who use insecure cloud-based platforms to share information.
  6. It Can Happen to You: Regardless of your industry, your size, your location, or how important you think you are to attackers, hackers, and activists, you probably are a target and just don’t know it yet. Realize that many attacks are not targeted by organization and are simply a function of opportunistic ability to monetize your data or systems. Cybercriminals and dark web forums are brimming with interest in ERP and SAP platforms to disrupt, steal, and exploit organizations of all sizes. Realize your organization’s data and systems have value, regardless of brand name, and implement a security program that corresponds to your organization’s risk posture.
  7. Your Mistake is Their Payday: Poor password hygiene, misconfigurations, lack of established processes and procedures all lead to mistakes that give attackers opportunities. Your mistakes allow them to steal and sell your sensitive data or compromise your systems for abuse. Examples that can be costly and overlook include crypto miner attacks on your servers, utilizing your CPU resources and power to mine crypto-coins for themselves.

Resources