Attackers have been actively exploiting a zero-day vulnerability in the widely used Oracle WebLogic Server to deliver not one but two ransomware variants. Zero-day vulnerabilities can be defined as a software security flaw that doesn’t yet have a patch. These vulnerabilities can result in security holes waiting to be exploited by cybercriminals. What is truly novel, and somewhat frightening, about the attack is the ransomware can be downloaded and executed without the end user clicking on anything, the attacker simply exploits the vulnerability. Traditionally, ransomware infections require the end user to initiate the downloading of the malware. This can be done by clicking a link or downloading an attachment, as examples. The above attack does not need this once an integral step to infection.
The vulnerability exploited in the attack was discovered two weeks ago along with a proof of concept exploit code. The vulnerability, CVE-2019-2725, was made public by the Chinese National Vulnerability Database and according to researchers from the security educational group SANS ISC warned that the vulnerability was under active attack. The vulnerability is regarded by experts as easy to exploit and allows the attacker the ability to execute code of their choice on cloud servers. The disclosure caused Oracle to release an emergency patch and it is strongly advised that administrators download the patch if they have not already.
Proving the statement made by the SANS ISC that the exploit was actively been used in the wild, researchers at Cisco Talos published an article showing that the exploit has been used as early as April 21. According to the researchers it was also discovered that on Thursday, April 25, attackers started a campaign to install a new variant of ransomware called “Sodinokibi”. This was before the patch was released by Oracle, which was released the following Friday. What makes the vulnerability easy to exploit is that all that is required is HTTP access to a vulnerable WebLogic server. Its severity rating under the Common Vulnerability Scoring System is 9.8 out of a possible 10. The attackers send vulnerable servers a POST command that contains a PowerShell command that downloads and then executes a malicious file called “radm.exe.” Besides PowerShell, attackers also exploit CVE-2019-2725 to use the Certutil command-line utility. Other files that get downloaded and executed include office.exe and untitled.exe.
The ransom note sent by the attackers’ demands that the victim pays 2,500 USD in Bitcoin within two days to receive the decryption key. After that deadline, the ransom doubles to 5,000 USD. The ransom note also explains to whomever the victim is how to establish a bitcoin wallet and obtain the digital currency, going as far as recommending the use of Blockchain.info. These have become fairly commonplace tactics to help ensure payment. What is not as common is how the infection occurs, as mentioned above it requires no interaction from an end user. It is this fact that should worry those in charge of an organization’s cybersecurity enough to make sure the above-mentioned patch is installed. The researcher’s stated,
“Historically, most varieties of ransomware have required some form of user interaction, such as a user opening an attachment to an email message, clicking on a malicious link, or running a piece of malware on the device…In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses 188.166.74[.]218 and 45.55.211[.]79.”
Sodinokibi and GandCrab 5.2
As mentioned above the one ransomware variant downloaded and installed on vulnerable WebLogic servers Sodinokibi is a relatively new ransomware on the scene. The ransomware does what is expected by encrypting targeted files so that the end user cannot access them without decrypting them. In addition to the expected encryption, the malware attempts to destroy shadow copy backups to prevent targets from simply restoring the lost data. This tactic is not unheard of and is becoming increasingly common among ransomware operators. The attackers are not solely reliant on Sodinokibi to try and extort money from victims, approximately eight hours after dropping Sodinokibi, the attackers further deploy GandCrab version 5.2. The researchers at Cisco Talos found this strange and believed because Sodinokibi being a new fairly untested ransomware variant that by also deploying GandCrab, an incredibly successful variant, they could still earn cash despite previous failed attempts.
Due to the ease at which the attacker exploiting the WebLogic vulnerability can gain access to a server without the need for authentication, usernames or passwords, and no need for end-user activity researchers believe that a number of attacks can be expected to have occurred and will occur. Researchers at Cisco Talos have advised that not only are the relevant patches downloaded and installed, but the following steps can be taken by administrators to help prevent the attack:
- Patch WebLogic as soon as possible against CVE-2019-2725.
- Log and centrally collect web, application, and operating systems events.
- Restrict the access of the account used to run the WebLogic process
Monitor for signs of compromise which include looking for:
- Egress network communications from data center systems.
- Ransomware "Canary" files.
- External HTTP POSTs to new URIs.
- Web shells.
- Unexpected activity of service/system accounts (WebLogic user).
- Scan for, understand, and mitigate your vulnerability posture.
- Restrict egress Data Center communications.
- Segment the network for defense and monitoring.
- Control URL access (in this case external access to "/_async/*" and "/wls-wsat/*").
- Plan for Disaster Recovery, including maintaining and testing data backups and recovery.
- Configure PowerShell to execute only signed scripts.