Phone : +91 9582 90 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Attackers exploit major vulnerability in Oracle WebLogic Server to drop cryptominers

Attackers exploit major vulnerability in Oracle WebLogic Server to drop cryptominers

  • The vulnerability was actively exploited to install miners for cryptocurrencies such as Monero.
  • It was reported that the malware used in the attack cloaked itself in certificate files for obfuscation.

A security vulnerability in Oracle WebLogic Server was found to be actively exploited by cybercriminals to install cryptocurrency miners. Security researchers from Trend Micro discovered that the malware used in the attack hid in certificate files and later dropped Monero miners in the system.

Tracked as CVE-2019-2725, the vulnerability is a deserialization remote code execution (RCE) flaw, which could allow unauthenticated attackers with network access to compromise WebLogic servers.

Worth noting

  • In their blog, the researchers detailed the infection chain of the attack. The attack begins with the malware exploiting CVE-2019-2725 to execute a PowerShell command.
  • This command is used to download a certificate file from a C2 server. The file, saved as ‘cert.cer’, is decoded using a Windows application called certutil. This decoded file is saved as ‘update.ps1’.
  • Upon executing this decoded file, the certificate file is deleted. Parallelly, a PowerShell script is downloaded and stored in memory. This script downloads and executes the cryptocurrency miner payload and other components.

Using certificate files for obfuscation

The researchers suggest that the use of certificate files for hiding malware has been prevalent for a while. “The idea of using certificate files to hide malware is not a new one: a proof of concept was introduced late last year by Sophos in which they demonstrated placing an Excel file with an embedded macro inside a certificate file,” read their blog.

“By using certificate files for obfuscation purposes, a piece of malware can possibly evade detection since the downloaded file is in a certificate file format which is seen as normal -— especially when establishing HTTPS connections,” added the researchers.

Oracle has released an update to fix the issue in WebLogic. Users are advised to apply this update to stay protected from RCE and similar attacks.

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 9582 90 7788 | Support Number : +91-9654016484
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket