New Linux Malware Exploiting Oracle Weblogic Servers

   September 15, 2024  Posted in CyberSecurityNews


Oracle WebLogic Server is an application server that is primarily designed to develop, deploy, and manage enterprise applications based on Java EE and Jakarta EE standards.

It serves as a critical component of Oracle’s Fusion Middleware, which provides a reliable and scalable environment.

EHA

Aqua Nautilus researchers recently discovered that a new Linux malware dubbed “Hadooken” is actively exploiting Oracle Weblogic servers.

Linux Malware Exploiting Weblogic Servers

The Hadooken malware targets Oracle WebLogic servers by exploiting the weak admin credentials for initial access. 

It deploys two key components, and here below, we have mentioned all of them:- 

  • A cryptominer (MD5: 9bea7389b633c331e706995ed4b3999c)
  • Tsunami malware (MD5: 8eef5aa6fa9859c71b55c1039f02d2e6)

The attack utilizes shell (‘c’) and Python (‘y’) scripts to download and execute payloads by preferring non-persistent directories like /tmp. 

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

The cryptominer is dropped as ‘/usr/bin/crondr’, ‘/usr/bin/bprofr’, and ‘/mnt/-java’, while Tsunami uses a random filename in /tmp. 

Persistence is maintained through cron jobs created in /etc/cron./ with varying frequencies. 

Attack flow (Source - Aquasec)
Attack flow (Source – Aquasec)

For lateral movement, it searches for SSH data in various directories. The malware employs evasion techniques, including base64 encoding, log clearance, and process masquerading. 

Associated IP addresses 89.185.85.102 and 185.174.136.204 link to potential ransomware distribution (Mallox MD5: 4a12098c3799ce17d6d59df86ed1a5b6, RHOMBUS, NoEscape). 

A related PowerShell script ‘b.ps1’ (MD5: c1897ea9457343bd8e73f98a1d85a38f) distributes Mallox ransomware, indicating a multi-platform attack strategy. 

Besides this, Shodan reveals over 230K internet-connected WebLogic servers with several hundred exposed admin consoles vulnerable to exploitation. 

Here below we have presented the MITRE ATT&CK framework:-

MITRE ATT&CK framework (Source - Aquasec)
MITRE ATT&CK framework (Source – Aquasec)

Mitigation

Here below we have mentioned all the mitigations:-

  • Always use IaC scanning tools to detect misconfigurations before deployment.
  • Make sure to use CSPM tools to scan cloud configurations for risks.
  • Scan Kubernetes clusters for misconfigurations.
  • Secure container images and Docker files.
  • Monitor runtime environments.

IOCs

IOCs (Source - Aquasec)
IOCs (Source – Aquasec)

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar



Source link