Warning over unpatched Oracle WebLogic Servers being targeted with Monero-mining malware

Rule number one of IT security: Always. Patch. Promptly...

Unpatched Oracle WebLogic servers have been targeted by two groups of cyber criminals looking to use powerful corporate servers to exploit with Monero mining apps - with some environments running PeopleSoft ERP software among the systems compromised.

The attackers netted more than $226,000 in the cryptocurrency, which is intended to be untraceable, despite a patch for the Oracle WebLogic Server security flaw having been issued in October.

The incidents were identified by researchers at Morphus Labs and the SANS Technology Institute identified at the beginning of December 2017.

The attackers took advantage of the security flaw described in CVE-2017-10271, which is rated 9.8 out of ten for severity, using a new "proof-of-concept" exploit.

According to the research team, the attackers carefully chose an exploit - among a number available online - designed by a Chinese security specialist called Lian Zhan. The exploit makes use of an IP address scanner to target unpatched internet-connected servers running the software.

While the attackers could have exfiltrated sensitive data or even installed ransomware, the researchers note, it seems they preferred to surretitiously monetise the compromise with Monero mining malware.

After analysing a compromised environment, it was possible to realise that a critical Oracle WebLogic flaw... is being used

"In the last couple of days, we received some reports regarding a malicious campaign ... deploying Monero cryptocurrency miners on victim's machines," wrote Morphus Labs security researcher Renato Marinho.

He continued: "After analysing a compromised environment, it was possible to realise that a critical Oracle WebLogic flaw, for which the exploit was made public a few days ago, is being used.

"The vulnerability (CVE 2017-10271) is present in WebLogic Web Services component (wls-wsat) and, due to improper user input sanitising, it may allow an unauthenticated remote attacker to execute remote arbitrary commands with the privileges of the WebLogic server user."

The researchers claim that two different hacking groups have been targeting Oracle WebLogic Server - one that mined Monero, and one that mined the AEON cryptocurrency, which also claims to be untraceable.

The group that targeted AEON made around just $6,000, according to the researchers, but the hackers mining the more popular Monero cryptocurrency made a lot more.

"The miner, xmrig, is not exactly malware. It is a legit' crypto coin miner for Monero. The miner comes with a configuration file showing us where the money will go that is mined using this application," wrote SANS Institute security analyst Johannes B. Ullrich.

He continued: "Renato [Marinho] was able to recover one such configuration file, and the pool the miner was connecting to does show that up to this point, 611 Monero coins were mined by this user, which amounts to about $226,070."