Recently, security researchers revealed a high-risk vulnerability that Oracle just fixed a deserialization vulnerability in Oracle WebLogic Server (CVE-2019-2725). Security researchers reported the vulnerability to Oracle last November, and the vulnerability allowed an attacker to remotely execute arbitrary code without authorization. The vulnerability affects Weblogic 10.3.6.0, 220.127.116.11, 18.104.22.168, and 22.214.171.124. The researchers disclosed the details of the vulnerability.
“Historically, most varieties of ransomware have required some form of user interaction, such as a user opening an attachment to an email message, clicking on a malicious link, or running a piece of malware on the device,” Talos researchers Pierre Cadieux, Colin Grady, Jaeson Schultz, and Matt Valites wrote in Tuesday’s post. “In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses 188.166.74[.]218 and 45.55.211[.]79.”
Researchers at Cisco Talos report that the vulnerability has been actively exploited since April 21. The attacker was found to have installed new ransomware called Sodinokibi on a vulnerable Oracle WebLogic server. In addition to encrypting important data, the ransomware also tried to destroy the backup, preventing the victim from using the backup to recover the encrypted data. The attacker then used the same vulnerability to install another ransomware called GandCrab.