Companies with Oracle WebLogic must be careful; cryptomining malware affects servers

A group of web application security experts from Trend Micro firm have detected a hacking campaign against Oracle WebLogic Server implementations to install malicious cryptocurrency mining software. Hackers exploit a vulnerability to install the miner bypassing the detection of system administrators.

The National Vulnerability Database (NVD) published last April the security alert regarding a severe error in the Oracle Fusion Middleware WebLogic Server component, tracked as CVE-2019-2725. If exploited, this flaw would allow threat actors to access the network via HTTP to compromise the server.  

The most recent reports indicate that the flaw is much more serious than it was thought, since its exploitation in the wild has been demonstrated to install mining software and extract the cryptocurrency in the attacked systems, reported the web application security experts.

Attackers exploit the vulnerability with malware that forces the system to download a certificate file to save it in a specific location (specialists detected this file as Coinminer.Win32.MALXMR.TIAOODCJ.Component). In appearance this is a software certificate, but really the miner is embedded in the file, this certificate is responsible for downloading and executing files related to the payload of the XMR mining software.

Web application security experts mentioned that it is not yet known exactly how many systems have been affected by the exploitation of this vulnerability, besides the number of Oracle implementations still mining Monero for the attackers without knowing it.

According to specialists from the International Institute of Cyber Security (IICS) this malicious campaign has shown how easy it is for hackers to use certificate files to inject malicious software by evading any protection measures.

To worsen the situation a little, experts predict that the revelation of this vulnerability serves as a catalyst for multiple cryptojacking campaigns using seemingly harmless certificate files, a situation that would not only affect the administrators of Oracle implementations, but also to other database management systems.