SECURITY
SECURITY
SECURITY
Vulnerability in Oracle WebLogic Server being actively exploited by hackers
A security vulnerability in Oracle Corp.’s WebLogic Server is actively being exploited by hackers.
The vulnerability, CVE-2019-2725, is a remote code execution vulnerability that gives hackers access to a WebLogic server without the need for authentication.
Oracle released a patch for the vulnerability April 26, but many with WebLogic Server installations have yet to install the patch, opening the door for hackers to run riot.
The current widespread attack is using a variant of the Muhstik botnet to install a new form of ransomware dubbed “Sodinokibi.” The ransomware shares typical traits with other forms in that it encrypts files and demands a payment to release them, but it comes with a number of additional traits.
The extra functions in Sodinokibi include code that attempts to destroy backups to prevent victims from restoring lost data and also disables the default Windows backup mechanism, making restoring data harder again.
To make matters worse, those behind the attack are then reported to have gone for a double-strike with a second form of malware called Gandcrab also being deployed on targeted systems.
“We find it strange the attackers would choose to distribute additional, different ransomware on the same target,” security researches at Cisco Talos noted. “Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab.”
The origin of the attackers is unknown, but the vulnerability and exploits were first detected by security researchers in China and Taiwan April 17. An IP trace for the origin of the attacks links back to a number of servers in Chile, but that does not necessarily indicate the origin of those behind the hacking as it servers may be compromised themselves. Those running an Oracle WebLogic Server are being urgently advised to apply the patch and Cisco gave the vulnerability a 9.8 out 10 severity rating.
That said, the patch is only available to those who have subscribed to Oracle’s Premium Support or Extended Support phases of their Lifetime Support Policy. “Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running,” the company said in its security advisory.
Image: Cisco Talos
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
