Critical Oracle WebLogic Bug - PATCH NOW

Critical Oracle WebLogic Bug – PATCH NOW

Multiple botnets exploit through remote code execution vulnerability in Oracle WebLogic Server.

Oracle WebLogic Server:

Oracle WebLogic is a platform for developing, deploying, and running enterprise Java applications in any cloud environment as well as on-premises.

Recently, a new patch released for the vulnerability flaw against Honeypots – CVE-2020-14882.

Oracle Security Alert — CVE-2020-14750

Description:

A remote code execution vulnerability in Oracle WebLogic Server, which steals sensitive information’s from affected systems.

Importantly, This vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update.

As of writing, about 3,000 Oracle WebLogic servers are accessible on the Internet-based on stats from the Shodan search engine.

Severity:

Base Score 9.8/10

Affected Products:

Oracle WebLogic Server — versions:

10.3.6.0.0,
12.1.3.0.0,
12.2.1.3.0,
12.2.1.4.0,
14.1.1.0.0

Patch Availability:

Fusion Middleware

DarkIRC — This bot performs a unique command and control domain generation algorithm that relies on the sent value of a particular crypto wallet.

Notably, This bot is currently being sold on hack forums for $75USD.

Bot Functions:

The bot installs itself in the %APPDATA%\Chrome\Chrome.exe and creates an autorun entry. Among its functions include:

Browser Stealer
Keylogging
Bitcoin Clipper
DDoS
- Slowloris
- RUDY (R-U-DeadYet?)
- TCP Flood
- HTTP Flood
- UDP Flood
- Syn Flood
Worm or spread itself in the network
Download Files
Execute Commands

Moreover, The malware also acts as a Bitcoin clipper that allows them to change bitcoin wallet addresses copied to the clipboard to the operator’s bitcoin wallet address, allowing the attackers to reroute Bitcoin transactions.

On the other hand, vulnerable servers instances a lucrative target for threat actors to recruit these servers into a botnet that pilfers critical data and deploy second stage malware payloads.

Recommendations:

Therefore, Unpatched Oracle WebLogic servers to deploy crypto miners and steal sensitive information from infected systems.

It’s recommended that users apply the October 2020 Critical Patch Update and the updates associated with CVE-2020-14750.

Indicators Of Compromise:

IP

45[.]77.178.169
139[.]180.194.87
85[.]248.227.163
185[.]65.134.178

Port

7001

Hash

ef7df0f86ed1a1bca365d7247d60384ece4687db28e5ec9aee1a61b1cfa4befa
4bafb11609f744948f7adbba60b8f122906d6cb079b1a1f3b9ba82f362e03889
81d51082566d3cebbc8d0d3df201a342f8056efbfb95a7778b6f5d56a264fb07

Post Views: 1,075

By FHN| 2020-12-02T20:59:04+05:30 December 2nd, 2020|Security Update, Software Issues|

About the Author: FHN

FirstHackersNews- Identifies Security

BADBOX botnet hacked 74,000 Android devices with remote codes

Malicious supply chain attacks shift from npm to VSCode Marketplace

Careto: A Notorious Threat Group Targets Windows with Microphone Recording and File Theft

New VIPKeyLogger in Office Docs Steals Credentials

Hackers Exploit Windows Management Console for Backdoor Payloads

Newsletter

Get Social

Categories

Recent posts

Critical Oracle WebLogic Bug – PATCH NOW