Thousands of unpatched and publicly exposed Oracle WebLogic servers are targeted by multiple botnets in order to deploy crypto miners and steal sensitive information from infected systems.
Oracle patched the WebLogic Server vulnerability as part of its October 2020 Critical Patch Update and subsequently again in November (CVE-2020-14750) as an out-of-band security patch.
As of now around 3,000 Oracle WebLogic servers are accessible on the Internet-based on stats from the Shodan search engine.
Oracle WebLogic is a platform for developing, deploying, and running enterprise Java applications in any cloud environment as well as on-premises.
The flaw, that has been dubbed CVE-2020-14882, has a CVSS score of 9.8 out of a maximum rating of 10 and affects WebLogic Server versions 10.3.6.0.0, 18.104.22.168.0, 22.214.171.124.0, 126.96.36.199.0, and 188.8.131.52.0.
Even though the issue was patched, the release of proof-of-concept exploit code had made vulnerable Oracle WebLogic instances a profitable target for the attackers to enroll these servers into a botnet that steal critical data and deploy second stage malware payloads.
The Juniper Threat Labs found that the DarkIRC botnet operators are exploiting this RCE vulnerability to spread laterally across the network, download files, record keystrokes, steal credentials, and execute arbitrary commands on compromised machines.
The malware also acts as a Bitcoin clipper that lets them change bitcoin wallet addresses copied to the clipboard to the operator’s bitcoin wallet address, allowing the attackers to reroute Bitcoin transactions.
It is also found that a threat actor named “Freak_OG” was selling the DarkIRC malware currently on hacking forums for $75 since August.
Besides, DarkIRC, there are other campaigns that has been found exploiting the WebLogic Server vulnerability.
Another campaign was spotted by ‘0xrb’ and detailed by researcher Tolijan Trajanovski in which a botnet spreads via the WebLogic flaw to deliver Monero cryptocurrency miner and Tsunami binaries.
Besides using SSH for lateral movement, the botnet has been found to achieve persistence through cron jobs, kill competing mining tools, and even uninstall Endpoint detection and response (EDR) tools from Alibaba and Tencent.
All the users are highly recommended to apply the October 2020 Critical Patch Update and the updates associated with CVE-2020-14750 at the earliest to reduce the risks.