Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Oracle Weblogic Server. Show all posts
Oracle Weblogic Server
Crypto Mining DDOS Attacks Hadooken Malware malware Oracle Weblogic Server

Crypto Mining and DDoS Threats: How Hadooken Malware Targets Oracle Web Logic Servers

Crypto Mining and DDoS Threats: How Hadooken Malware Targets Oracle Web Logic Servers

Threat actors were found exploiting poorly secured Oracle WebLogic servers for mining cryptocurrency, building a DDoS botnet, and other malicious activities. 

The Discovery

Researchers from Aqua Cybersecurity found various attacks in the wild and decided to catch culprits by running a honeypot (a cybersecurity technique that creates a decoy system to trick and trap threat actors). Soon after, the experts found a threat actor breaking through weak passwords, and installing a malware called “Hadooken.”

The malware was used in a few other attacks in recent times, and it has two primary functions- a DDoS botnet and cryptocurrency mining. Besides this, the malware gives threat actors complete control over the compromised endpoint. 

About Hadooken Malware

Oracle WebLogic is a Java-based application that allows the management, development, and deployment of enterprise-level apps. It is generally used in financial and banking services, telecommunications, public services, and government organizations. Because of its popularity, WebLogic has also become a major target for threat actors as has “various vulnerabilities” The Register reports. 

Impact on Organizations

Until now, the experts found threat actors use Hadooken for mining crypto, while other functions are yet to be used. Experts also believe that Hadooken has hints of ransomware functions. “It could be the threat actor will introduce this attack to a Linux ransomware as well, or it is already introduced if the malware runs on the system longer than a sandbox execution,” the experts said.

When researchers tracked the IP addresses of the Hadooken malware, they came across tow IP addresses, one IP belongs to a UK hosting company, but it is registered in Germany. Earlier, the address was associated with TeamTNT and Gang 8220, but this link is not strong evidence to connect these attacks with threat actors, according to the experts. The second IP address belongs to Russia, registered with the same hosting company, but currently inactive.

How Hadooken Works

Haddoken abuses flaws in the Oracle WebLogic servers. These flaws come from unpatched misconfigurations or unpatched software. Once the malware gets access, it makes a foothold in the system, letting threat actors perform remote commands. 

Hadooken’s ability to steal passwords is a concern, it captures login credentials, and threat actors can move laterally inside a network, gaining access to other systems and data. It can cause more data breaches and ransomware attacks.
Read more »
Vulnerabilities
Cryptojacking Cryptojacking Campaign Imperva Imperva Threat Research malware Oracle Weblogic Server Threat research TTPs Vulnerabilities

Imperva Report Previously Undocumented 8220 Gang Activities


Imperva Threat Research team has recently discovered a previously unreported activity from the 8220 gang, which is well-known for mass-deploying a range of constantly evolving TTPs to distribute malware in large quantities. The threat actor has a history of using cryptojacking malware to target Linux and Windows web servers.

The researchers reported the issue in a blog, discussing the group’s attack tactics, recent activities, and indicators of compromise (IoCs) from the threat actor’s most recent campaign. Customers of Imperva are shielded from the known actions of this group. All firms are required to keep their security and patching up-to-date. 

History of the Threat Actor

The 8220 gang, which is believed to be a China-based group, was initially discovered in 2017 by Cisco Talos. The targets include Apache Struts2, Hadoop YARN, and Drupal systems, where the threat actors transmitted cryptojacking malware. Since then, a number of additional researchers have offered updates on the group's growing tactics, methods, and procedures (TTPs), which include making use of vulnerabilities in Log4j and Confluence. The group's use of the Oracle WebLogic vulnerability CVE-2017-3506 to infect specific systems was most recently shown by Trend Micro.

Evolving TTPs

The Imperva Threat Research disclosed the use of malware identified as CVE-2021-44228 and CVE-2017-3506. Also, the researchers revealed that the threat group exploited CVE-2020-14883, a Remote Code Execution vulnerability in Oracle WebLogic Server, to spread malware.

This vulnerability, frequently linked with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or using compromised, stolen, or leaked credentials, permits remote authenticated attackers to execute code via a gadget chain. The documented exploitation of these vulnerabilities is extensive. This way, it is easier to modify for the distribution of malware. 

The 8220 gang employs two distinct gadget chains: one allows an XML file to be loaded, and this file contains a call to another gadget chain that allows commands to be executed on the operating system.

The report further notes that Imperva Cloud WAF and on-prem WAF have addressed the issues already by mitigating flaws that were used by the 8220 gang for conducting their malicious activities. Some of these vulnerabilities have been listed below:

  • CVE-2017-3506 – Oracle WebLogic Server RCE 
  • CVE-2019-2725 – Oracle WebLogic Server Authenticated Deserialization 
  • CVE-2020-14883 – Oracle WebLogic Server Authenticated RCE 
  • CVE-2021-26084 – Atlassian Confluence Server OGNL Injection RCE 
  • CVE-2021-44228 – Apache Log4j JNDI RCE 
  • CVE-2022-26134 – Atlassian Confluence Server RCE  

Read more »
Subscribe to: Posts (Atom)