Cybersecurity experts have detected rising numbers of attacks on Oracle WebLogic Servers across the world after a PoC (Proof of Concept) detailing the attack codes were made public on Git Hub by two contributors.
- PoC detailing the CVE-2018-2893 exploit shared by anbai-inc
- PoC detailing the CVE-2018-2893 exploit shared by Ryaninf
A Heavy deployment of reconnaissance activities by attackers have been reported in the wild after the PoC was shared. This has resulted to a wave of attacks on unpatched Oracle WebLogic Servers. Researchers reported on July 23, 2018 that a group named Luoxk have been actively exploiting the WebLogic Server Remote Code Execution Vulnerability (CVE-2018-2893). The main objective of the malicious actors are believed to be locating vulnerable WebLogic Servers that have not been patched by Oracle's Critical Patch Update released on July 18, 2018.
Oracle WebLogic Server Remote Code Execution Vulnerability—A Closer Look at CVE-2018-2893 Vulnerability Details
This vulnerability has been detected in the sub-component of WLS (WebLogic Server) core component. This affected sub-component is Oracle Fusion Middleware and the WLS versions that have been deemed vulnerable are 18.104.22.168, 22.214.171.124, 126.96.36.199 and 10.3.6.0.
The severity of the vulnerability has been labeled 'critical' since it allows an attacker to get unauthenticated access to the WLS server. However, to carry out this server compromise attack using the aforesaid vulnerability, the attacker must have network access through T3 (a proprietary protocol used by the WebLogic Server).
Possible Reasons of Attackers Taking Control of Oracle WebLogic Servers
As reported earlier this year, attackers compromised WebLogic servers to plant crypto miners. Researcher also found it unusual back then that no data theft was detected post server compromise. This shed's light on the fact that the attackers were more interested in using the servers to plant crypto miners. One must also consider the fact that Oracle WebLogic Servers are used at an enterprise level and are known for its optimized and enhanced processing capabilities. This can also be a reason attackers compromise Oracle WebLogic Servers to fulfill their malicious intent of mining Monero Cryptocurrency Coins.
Get a Vulnerability Assessment done for your organisation today!