Recently security researchers found malicious actors exploiting old and recently disclosed Oracle Weblogic Server vulnerabilities to deliver the crypto miner malware on the infected hosts. Mostly the Oracle Weblogic Servers are used for developing and deploying high-traffic enterprise applications in cloud environments.
Old vulnerabilities that are being widely exploited by malicious actors are CVE-2020-14882, which is remote code execution (RCE) vulnerability that takes advantage of improper input validation in the Oracle Web logic server.
In this blog, researchers are talking about the malware called Kinsing malware exploiting this Oracle Weblogic server. However, they also observed the download of Python Scripts and Shell went through the list of actions such as disabling OS security features, watchdog timers, iptables and finally disabling cloud service provider agents.
Technical Analysis of vulnerability being exploited widely
Malicious actors are abusing the old vulnerability CVE-2020-14882 found actively weaponizing to gain access to infected Organizations. We will see a step-by-step analysis of how the vulnerability is being exploited.
Step 1: Attacker runs scripts abusing CVE-2020-14882 and CVE-2020-14883 Vulnerabilities on Unpatched Oracle WebLogic servers.
Step 2: When the scripts are executed on the infected system java process executes 3 child processes which initiate 3 different executions, such as Wget/curl, Install kinsing malware, and C&C.
Step 3: When Wget/Curl executes and installs the Kinsing malware on the infected system and then disables the Firewall / Changes the firewall policy.
Step 4: Installed Kinsing malware connects to C&C servers and malware installed maintains persistence by adding a cronjob on the infected system.
Like Other malware, Cryptocurrency malware will start removing or killing the other miner processes running within the infected systems. And it would also remove the docker images which belonged to other crypto mining malware from the system. And malware disables the security features on the infected hosts so that critical file attributes can be modified and manipulated. After all these steps the script executes and kinsing malware downloads. Finally, it would download the malware binaries and then create a cronjob to download the wb.sh/script.
Detection of Weblogic Vulnerability exploitation
In the IPS (Intrusion Prevention System) module, it can be detected and block the exploitation by the IPS rule Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883). When the attacker sent the crafted request which attempted to access the console.portal resource under the “images” folder. The “%252e%252e” is a double URL-encoded string of the “..” directory traversal pattern and the attacker forced the server to read the contents of the wb.xml file which downloaded the shell scripts to install the malware.
Anti-malware module, this provides against the vulnerabilities exploitation behavior monitoring. This module detects the event of a Shell script running on java. Malware detected with Trojan.Linux. KINSING.USELVCR22 and infected file: /tmp/kinsing.
In the web reputation module, it detects and blocks the wb. scripts attempts which try to download the kinsing malware and the URL detected: hxxp://185[.]14.30[.]35/kinsing.
Few Threat Hunting queries
Hunt for potential malicious activity within the environment by following the below queries,
- To hunt for potential misuse of java application by checking for processFilePath:/bin/java AND objectFilePath:/usr/bin/bash.
- Hunt the use of curl or wget initiated by Java via bash: processFilePath:/bin/java AND objectFilePath:/usr/bin/bash AND (objectCmd:curl or objectCmd:wget).
- Hunt for the execution of Base64-decoded string execution by Java via bash: processFilePath:/bin/java AND objectFilePath:/usr/bin/bash AND objectCmd:base64.
Indicators of Compromise (IOCs)
020c14b7bf5ff410ea12226f9ca070540bd46eff80cf20416871143464f7d546 – Trojan.SH.CVE20207961.SM