U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Crooks exploit Oracle WebLogic flaw to deliver Sodinokibi Ransomware

Threat actors are exploiting a recently patched critical Oracle WebLogic Server vulnerability to deliver the Sodinokibi ransomware to organizations. Threat actors are delivering a new piece of malware, tracked as Sodinokibi, by exploiting a recently patched Oracle WebLogic Server vulnerability. Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation, it […]

Sodinokibi ransomware

Threat actors are exploiting a recently patched critical Oracle WebLogic Server vulnerability to deliver the Sodinokibi ransomware to organizations.

Threat actors are delivering a new piece of malware, tracked as
Sodinokibi, by exploiting a recently patched Oracle WebLogic Server vulnerability.

Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation, it is used by numerous applications and web enterprise portals based on Java technology. The flaw initially received the identifier CNVD-C-2019-48814.

An attacker could exploit the vulnerability to remotely execute commands without authorization by sending a specially crafted HTTP request.

On April 26, Oracle addressed the flaw with the release of an out-of-band update.

The threat was detected and analyzed by several firms (i.e. South Korean EST Security, Cisco’s Talos), independent researchers, intelligence group.

“Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10.” reads the analysis published by Cisco Talos.” Attackers have been making use of this exploit in the wild since at least April 17. “

Sodinokibi ransomware

Crooks used PowerShell commands to download and execute malicious payloads, they demanded a ransom that ranges from $1,500 worth of BitCoin up to $2,500. The ransom doubles if the victims do not pay it within a specified number of days.

Talos started seeing the first stages of the Sodinokibi attacks — the attackers first looked for exploitable WebLogic servers —

Since April 25, one day before Oracle released security patches, the experts started observing Sodinokibi ranomware infections.

Talos also noted that threat actors were exploiting the flaw to deliver the popular Gandcrab ransomware.

“We find it strange the attackers would choose to distribute additional, different ransomware on the same target. Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab,” continues Talos researchers.

Experts discovered that the CVE-2019-2725 has been also exploited to deliver cryptocurrency miners and other types of malware. Researchers believe it has also likely been exploited in targeted attacks.

“Due to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects widespread attacks involving CVE-2019-2725 ” concludes Talos.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – sodinokibiransomware, Weblogic)

[adrotate banner=”5″]

[adrotate banner=”13″]