Article Details
Scrape Timestamp (UTC): 2024-06-04 03:35:29.930
Source: https://thehackernews.com/2024/06/oracle-weblogic-server-os-command.html
Original Article Text
Click to Toggle View
Oracle WebLogic Server OS Command Injection Flaw Under Active Attack. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting the Oracle WebLogic Server to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2017-3506 (CVSS score: 7.4), the issue concerns an operating system (OS) command injection vulnerability that could be exploited to obtain unauthorized access to susceptible servers and take complete control. "Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document," CISA said. While the agency did not disclose the nature of attacks exploiting the vulnerability, the China-based cryptojacking group known as the 8220 Gang (aka Water Sigbin) has a history of leveraging it since early last year to co-opt unpatched devices into a crypto-mining botnet. According to a recent report published by Trend Micro, the 8220 Gang has been observed weaponizing flaws in the Oracle WebLogic server (CVE-2017-3506 and CVE-2023-21839) to launch a cryptocurrency miner filelessly in memory by means of a shell or PowerShell script depending on the operating system targeted. "The gang employed obfuscation techniques, such as hexadecimal encoding of URLs and using HTTP over port 443, allowing for stealthy payload delivery," security researcher Sunil Bharti said. "The PowerShell script and the resulting batch file involved complex encoding, using environment variables to hide malicious code within seemingly benign script components." In light of the active exploitation of CVE-2024-1086 and CVE-2024-24919, federal agencies are recommended to apply the latest fixes by June 24, 2024, to protect their networks against potential threats. Continuous Attack Surface Discovery & Penetration Testing Continuously discover, prioritize, & mitigate exposures with evidence-backed ASM, Pentesting, and Red Teaming.
Daily Brief Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported active exploitation of a security flaw in Oracle WebLogic Server, identified as CVE-2017-3506 with a CVSS score of 7.4.
The vulnerability allows attackers to perform an OS command injection, enabling unauthorized access and full control over affected servers through a malicious HTTP request containing a malicious XML document.
Although details of the attacks remain undisclosed by CISA, it's noted that the China-based 8220 Gang has used this flaw for cryptojacking activities by running a cryptocurrency miner filelessly within compromised systems.
The 8220 Gang utilizes obfuscation techniques such as hexadecimal encoding of URLs and leveraging HTTP over port 443 for stealthy payload delivery, further complicating detection and mitigation efforts.
Attackers are using a combination of shell and PowerShell scripts, depending on the targeted operating system, to execute the crypto-mining malware directly in memory.
Federal agencies are urged to apply the latest security fixes by June 24, 2024, to safeguard their networks against ongoing and potential exploits of this nature.
The continued exploitation highlights the necessity for continuous attack surface discovery, penetration testing, and adherence to updated security measures.