Oracle app server hack let one attacker mine $226,000 worth of cryptocoins

Exploit published in December makes cracking unpatched Oracle servers easy. In a report published on January 7 by SANS Technology Institute, Morphus Labs researcher Renato Marinho revealed what appears to be an ongoing worldwide hacking campaign by multiple attackers against PeopleSoft and WebLogic servers that leverages a Web application server vulnerability patched by Oracle late last year.

These attackers aren’t stealing data from victims, however—at least as far as anyone can tell. Instead, the exploit is being used to mine cryptocurrencies. In one case, according to analysis posted today by SANS Dean of Research Johannes B. Ullrich, the attacker netted at least 611 Monero coins (XMR)—$226,000 dollars’ worth of the cryptocurrency.

The attacks appear to have leveraged a proof-of-concept exploit of the Oracle vulnerability published in December by Chinese security researcher Lian Zhang. Almost immediately after the proof of concept was published, there were reports of it being used to install cryptominers from several different locations—attacks launched from servers (some of them likely compromised servers themselves) hosted by Digital Ocean, GoDaddy, Verizon Business Services, and Athenix.

“The victims are distributed worldwide,” wrote Ullrich. “This isn’t a targeted attack. Once the exploit was published, anybody with limited scripting skills was able to participate in taking down WebLogic/PeopleSoft servers.”

In the case of the attack documented by Marinho, the attacker installed a legitimate Monero mining software package called xmrig on 722 vulnerable WebLogic and PeopleSoft systems—many of them running on public cloud services, according to Ulrich. More than 140 of those systems were in the Amazon Web Services public cloud, and smaller numbers of servers were on other hosting and cloud services—including roughly 30 on Oracle’s own public cloud service.

The exploit code makes scanning for vulnerable systems simple, so the entire universe of publicly exposed, unpatched Oracle Web application servers could quickly fall victim to these and other attacks. On the bright side, some of these surreptitious mining efforts were detected relatively quickly because the script used to “drop” the mining tool also killed the “java” process on the targeted servers—essentially shutting down the application server and drawing quick attention from administrators.

The installer used in the documented Monero attack was a simple bash script. It issues commands to seek out and kill other blockchain miners that may have arrived before it, and it sets up a CRON job to download and launch the miner tool in order to keep its foothold intact.

Ullrich warned that victims shouldn’t simply end their response to these intrusions by patching their servers and removing the mining software. “It is very likely that more sophisticated attackers used this to gain a persistent foothold on the system. In this case, the only ‘persistence’ we noticed was the CRON job. But there are many more, and more difficult to detect, ways to gain persistence.”

Source:https://arstechnica.com/information-technology/2018/01/hackers-turn-weblogic-peoplesoft-servers-into-cryptocoin-miners/

Alisa Esage G

Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.

Oracle app server hack let one attacker mine $226,000 worth of cryptocoins

The 11 Essential Falco Cloud Security Rules for Securing Containerized Applications at No Cost

Hack-Proof Your Cloud: The Step-by-Step Continuous Threat Exposure Management CTEM Strategy for AWS & AZURE

Web-Based PLC Malware: A New Technique to Hack Industrial Control Systems

The API Security Checklist: 10 strategies to keep API integrations secure

11 ways of hacking into ChatGpt like Generative AI systems

How to send spoof emails from domains that have SPF and DKIM protections?

Silent Email Attack CVE-2023-35628 : How to Hack Without an Email Click in Outlook

How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks

TunnelCrack: Two serious vulnerabilities in VPNs discovered, had been dormant since 1996

How to easily hack TP-Link Archer AX21 Wi-Fi router

US Govt wants new label on secure IoT devices or wants to discourage use of Chinese IoT gadgets

24,649,096,027 (24.65 billion) account usernames and passwords have been leaked by cyber criminals till now in 2022

How Chinese APT hackers stole Lockheed Martin F-35 fighter plane to develop its own J-20 stealth fighter aircraft [VIDEO]

Compromising Cryptographic Key Security Through PuTTY: A Deep Dive into CVE-2024-31497

How to hack a LG Smart TV via vulnerabilities in LG WebOS?

How to Check if a Linux Distribution is Compromised by the XZ Utils Backdoor in 6 Steps

CVE-2023-5528: Kubernetes Flaw Jeopardizing Windows Node That Can’t Be Ignored

Hacking Debian, Ubuntu, Redhat& Fedora servers using a single vulnerability in 2024

The 11 Essential Falco Cloud Security Rules for Securing Containerized Applications at No Cost

Hack-Proof Your Cloud: The Step-by-Step Continuous Threat Exposure Management CTEM Strategy for AWS & AZURE

Web-Based PLC Malware: A New Technique to Hack Industrial Control Systems

The API Security Checklist: 10 strategies to keep API integrations secure

11 ways of hacking into ChatGpt like Generative AI systems

How to send spoof emails from domains that have SPF and DKIM protections?

Silent Email Attack CVE-2023-35628 : How to Hack Without an Email Click in Outlook

How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks

Is Your etcd an Open Door for Cyber Attacks? How to Secure Your Kubernetes Clusters & Nodes

CVSS 4.0 Explained: From Complexity to Clarity in Vulnerability Assessment

Major Python Infrastructure Breach – Over 170K Users Compromised. How Safe Is Your Code?

How to exploit Windows Defender Antivirus to infect a device with malware

Inside the Scam: How Ransomware Gangs Fool You with Data Deletion Lies!

How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks

How hrserver.dll stealthy webshell can mimic Google’s Web Traffic to hide and compromise networks

Cyber Security Channel

US Govt wants new label on secure IoT devices or wants to discourage use of Chinese IoT gadgets

24,649,096,027 (24.65 billion) account usernames and passwords have been leaked by cyber criminals till now in 2022

How Chinese APT hackers stole Lockheed Martin F-35 fighter plane to develop its own J-20 stealth fighter aircraft [VIDEO]