Attackers Exploiting Oracle WebLogic Flaw to Install Sodinokibi Ransomware

Threat actors have been discovered exploiting a recently patched Oracle WebLogic vulnerability to deliver new ransomware named Sodinokibi.

Earlier this month Oracle addressed a deserialization vulnerability (CVE-2019-2725) having CVSS score of 9.8 in the Oracle WebLogic server.

The flaw could be exploited by an attacker remotely to execute commands without authorisation and gain full access to the servers.

On April 26 Oracle released a patch to fix the issue and advised customers to update it as soon as possible.

According to Cisco Talos researchers, attackers are now exploiting this flaw to install Sodinokibi ransomware.

“This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10. Attackers have been making use of this exploit in the wild since at least April 17. “

Usually, most ransomware variants need user interaction such as opening an email attachment or clicking a malicious link to infect the devices.

In this case, attackers just need to leverage the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses.

The Sodinokibi ransomware after infection will delete the shadow volume copies and disable windows startup repair.

In the next process, it will start encrypting files in the server and append a random extension to the files which is different for each device.

A ransom note named format [extension]-HOW-TO-DECRYPT.txt will be added to each folder which contains a unique key and link to the payment site.

Sodinokibi Ransomware
Source: Bleeping Computer


In the payment site, victims are asked to enter the unique key and extension and will be shown a page which displays the ransom amount and bitcoin address to which the payment should be made.

 Sodinokibi Ransomware
Source: Bleeping Computer

 Researchers also noted that attackers were also seen installing Gandcrab ransomware v5.2 on already infected servers.

According to researchers attackers installed an addition or different ransomware on the same target is because of the unsuccessful earlier attempts and as a backup plan to earn ransom payment.

All server admins are advised to install the patch immediately to avoid infection.

Follow this Steps to Prevent Yourself from Sodinokibi Ransomware Infection:

Cisco Talos recommends the following steps to prevent your Oracle WebLogic servers  from ransomware infection

  • Patch WebLogic as soon as possible against CVE-2019-2725.
  • Log and centrally collect web, application, and operating systems events.
  • Restrict the access of the account used to run the WebLogic process
  • Monitor for signs of compromise:
    • Egress network communications from data center systems.
    • Ransomware “Canary” files.
    • External HTTP POSTs to new URIs.
    • Web shells.
    • Unexpected activity of service/system accounts (WebLogic user).
  • Scan for, understand, and mitigate your vulnerability posture.
  • Restrict egress Data Center communications.
  • Segment the network for defense and monitoring.
  • Control URL access (in this case external access to “/_async/*” and “/wls-wsat/*”).
  • Plan for Disaster Recovery, including maintaining and testing data backups and recovery.
  • Configure PowerShell to execute only signed scripts

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin and Twitter.

You may be interested in reading:New Emotet Trojan Variant Uses Compromised Devices as Proxy C&C Servers



Please rate this content