News

Attackers actively exploit previously discovered vulnerability in Oracle WebLogic

A recently fixed vulnerability in Oracle WebLogic is actively exploited by cybercriminals for installation on vulnerable servers of cryptocurrency miners.

This is a deserialization vulnerability (CVE-2019-2725) that allows an unauthorized attacker to remotely execute commands.

Problem was discovered in April this year, when cybercriminals had already shown interest in it. Oracle fixed vulnerability at the end of the same month, however, according to Trend Micro, it is currently actively used in attacks.

“Reports emerged on the SANS ISC InfoSec forums that the vulnerability was already being actively exploited to install cryptocurrency miners. We managed to confirm these reports after feedback from the Trend Micro™ Smart Protection Network™ security architecture revealed a similar cryptocurrency-mining activity involving the vulnerability”, — report Trend Micro specialists.

According to the researchers, with the help of the vulnerability, attackers install cryptocurrency mining machines on compromised computers. To bypass detection, they hide malicious code in digital certificate files.

Once executed in the system, malware exploits the vulnerability to execute commands and a number of tasks. First, using PowerShell, certificate file is loaded from C&C server, and CertUtil, a legitimate tool, is used to decrypt it. Then, using PowerShell, this file is executed on the target system and deleted using cmd.

The infection chain

The certificate looks like a regular certificate in the Privacy-Enhanced Mail (PEM) format, but it takes form of a PowerShell command instead of the usual X.509 TLS format. Before receiving a command, the file must be decrypted twice, which is quite unusual, because the exploit team uses CertUtil only once.

The idea of using certificate files to obfuscate malicious code is not a new one. However, real attacks using this method were not previously detected, and if they occured, they are very rare.

It is worth reminding that, Oracle has already released an update that addresses CVE-2019-2725. Thus, it is highly recommended for organizations that use WebLogic Server to update their software to the latest version to prevent any attacks that exploit the vulnerability from affecting their businesses.

Source: https://blog.trendmicro.com

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Pbmsoultions.com Pop-up Ads

About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…

20 hours ago

Remove Prizestash.com Pop-up Ads

About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…

20 hours ago

Remove Verifiedbreaking.com Pop-up Ads

About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…

20 hours ago

Remove Themoneyminutes.com Pop-up Ads

About Themoneyminutes.com Themoneyminutes.com pop-ups can not launch out of the blue. If you have actually…

20 hours ago

Remove News-xcidizi.com Pop-up Ads

About News-xcidizi.com News-xcidizi.com pop-ups can not introduce out of nowhere. If you have clicked some…

24 hours ago

Remove Everytraffic-flow.com Pop-up Ads

About Everytraffic-flow.com Everytraffic-flow.com pop-ups can not launch out of nowhere. If you have actually clicked…

24 hours ago