A security vulnerability in Oracle Corp.’s WebLogic Server is actively being exploited by hackers.

The vulnerability, CVE-2019-2725, is a remote code execution vulnerability that gives hackers access to a WebLogic server without the need for authentication.

Oracle released a patch for the vulnerability April 26, but many with WebLogic Server installations have yet to install the patch, opening the door for hackers to run riot.

The current widespread attack is using a variant of the Muhstik botnet to install a new form of ransomware dubbed “Sodinokibi.” The ransomware shares typical traits with other forms in that it encrypts files and demands a payment to release them, but it comes with a number of additional traits.

The extra functions in Sodinokibi include code that attempts to destroy backups to prevent victims from restoring lost data and also disables the default Windows backup mechanism, making restoring data harder again.

To make matters worse, those behind the attack are then reported to have gone for a double-strike with a second form of malware called Gandcrab also being deployed on targeted systems.

“We find it strange the attackers would choose to distribute additional, different ransomware on the same target,” security researches at Cisco Talos noted. “Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab.”

The origin of the attackers is unknown, but the vulnerability and exploits were first detected by security researchers in China and Taiwan April 17. An IP trace for the origin of the attacks links back to a number of servers in Chile, but that does not necessarily indicate the origin of those behind the hacking as it servers may be compromised themselves. Those running an Oracle WebLogic Server are being urgently advised to apply the patch and Cisco gave the vulnerability a 9.8 out 10 severity rating.

That said, the patch is only available to those who have subscribed to Oracle’s Premium Support or Extended Support phases of their Lifetime Support Policy. “Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running,” the company said in its security advisory.

Image: Cisco Talos