vSOC SPOT Report: Oracle WebLogic
Posted by: GuidePoint Security
Overview
On July 18, 2018, Oracle released a routine patch for an Oracle WebLogic Server remote code execution vulnerability (CVE-2018-2893). This WebLogic vulnerability can allow an unauthenticated attacker to remotely compromise and take over the Oracle WebLogic server. CVE-2018-2893 received a “critical” rating and a 9.8 out of 10 CVSSv3 score because of the ease of exploitation by a remote unauthenticated attacker. Within three days of announcing the vulnerability publicly and releasing the patch, proof of concept code was available online to exploit the vulnerability. A sharp uptick in scanning and exploitation attempts has been observed by many security research teams as different threat actors modify their campaigns to use the newly public exploit code.
Technical Overview
Details about the vulnerability were not made public until after Oracle released patches for the bug on July 18, 2018, but due to several Proof-Of-Concept (POC) exploits that were posted to various websites shortly after the patch was released, the automation of the vulnerability became widespread.
There are currently two groups being monitored that have automated exploits and are utilizing them at scale in order to gain control of unpatched WebLogic servers. The exploit allows an unauthenticated attacker to gain access to the server, typically over port 7001, in order to drop and execute a .jar file which unpacks and executes code to begin dropping additional files onto the system including Bill Gates DDOS malware, crypto-miner XMRig Monero, and other backdoors.
Versions of Oracle WebLogic that are affected by this vulnerability are:
- 10.3.6.0
- 12.1.3.0
- 12.2.1.2
- 12.2.1.3
Oracle has not confirmed whether older unsupported versions are affected but they should be assumed vulnerable.
Potential Impact
The most common result of the exploitation of this vulnerability, like several other recently identified vulnerabilities in Oracle WebLogic, is to install cryptocurrency miners on the exploited servers. Attackers use the exploited server’s CPU resources to mine cryptocurrency unbeknownst to the owners. However, data theft is also a very real possibility since this exploitation allows the attacker to take over the Oracle WebLogic server.
What You Should Do
If you have an affected version of Oracle WebLogic running in your environment, you should immediately apply the newly released patch for this vulnerability (Oracle July 2018 CPU) which was released July 18, 2018. It is also recommended that you block external traffic on port 7001 until you are able to deploy the update. This port has been identified with several active exploitation campaigns. Deploying the Oracle WebLogic patch is the most complete fix for this vulnerability.
If you are running earlier, unsupported versions of Oracle WebLogic, upgrading to a current, supported version that is receiving updates is a best practice to protect against this and future vulnerabilities. While Oracle has not confirmed any end-of-life versions of WebLogic are vulnerable, it is safest to assume earlier versions are also affected.
Known IOCs
- 121.18.238.56 AS4837 CHINA UNICOM China169 Backbone
- 103.99.115.220 AS21859 Zenlayer Inc
- 5.8.54.27 Petersburg Internet Network ltd
- 185.159.128.200 IT Outsourcing LLC
- luoxkexp.com
- md5 hash – 2f7df3baefb1cdcd7e7de38cc964c9dc
Supporting Information
- https://nvd.nist.gov/vuln/detail/CVE-2018-2893
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2893
- https://www.securityweek.com/recently-patched-oracle-weblogic-flaw-exploited-wild?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29
- https://www.bleepingcomputer.com/news/security/attacks-on-oracle-weblogic-servers-detected-after-publication-of-poc-code/
- https://github.com/anbai-inc/CVE-2018-2893 – POC
- https://github.com/Ryaninf/CVE-2018-2893 – POC
- https://0day.city/0day-18564.html – POC
- http://blog.netlab.360.com/malicious-campaign-luoxk-is-actively-exploiting-cve-2018-2893/
- https://isc.sans.edu/forums/diary/Weblogic+Exploit+Code+Made+Public+CVE20182893/23896/
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html