[ad_1]
Credit: ID 92722392 © Aleksandr Velichko | Dreamstime.com
A critical flaw affecting Oracle WebLogic Server for which Oracle proposed a patch last week is now for the installation of a new variety of ransomware called Sodinokibi.
This nasty ransomware software aims to encrypt a computer's directory and compromise recovery by removing shadow backups, according to Cisco's Talos Intelligence researchers.
Last Friday, Oracle released an emergency fix for the WebLogic zero-day vulnerability and is now tracking the bug under the name CVE-2019-2725. The deserialization flaw, reported for the first time by Known Sec 404 researchers, can be used by attackers to execute remote commands without requiring valid identification information.
"Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this security alert as soon as possible," Oracle told WebLogic administrators last Friday, two months before the next scheduled release. critical patch updates.
At the time of the release of the patch, it was not known that the flaw was being used to install the Sodinokibi ransomware software. However, Talos researchers now say that the first stage of the attack took place a day before the Oracle patch. According to Talos, this attack resulted in the encryption of certain client files.
The image of Talos on the Sodinokibi attack ransom page clearly indicates a price for companies that place a high value on business data.
Before the two-day period expires, victims can pay the equivalent of $ 2,500 in Bitcoin to unlock their data, but once the time has elapsed, the price doubles to $ 5,000.
The WebLogic flaw is extremely useful for Sodinokibi users because it prevents victims from opening an attachment or taking another action to run the malware on a device.
"In this case, the attackers simply exploited the Oracle WebLogic vulnerability, forcing the concerned server to download a copy of the ransomware from IP addresses controlled by the attacker. 188.166.74[.]218 and 45.55.211[.]79. "
The researchers found that exploiting a "zero-day" flaw to distribute ransomware was "noticeable" because hackers had been using it for a long time against systems that had not been fixed for their known flaws.
"Due to the ubiquity of Oracle WebLogic servers and the ease of exploiting this vulnerability, Talos is expecting widespread attacks involving CVE-2019-2725," warned Talos researchers .
In addition to fixing the flaw, Talos has introduced a number of steps that administrators must take to monitor and record potential attacks. Administrators must also limit access to the accounts used to run the WebLogic process and, critically, to test the backup and data recovery processes. It is also recommended to configure PowerShell to run only signed scripts.
According to Chronicle's VirusTotal service, owned by Alphabet, the coverage of the Sodinokibi ransomware is currently incomplete among antivirus vendors. Currently, 47 out of 71 antivirus engines detect ransomware, compared to 23 engines the day after the patch was released by Oracle.
Sodinokibi was reported for the first time the day of the Oracle patch by an independent security researcher using the Twitter account @GrujaRS.
Oddly, about 8 hours after the attackers installed the Sodinokibi ransomware on the WebLogic servers, they chose to install the Gandcrab v5.2 ransomware. The researchers assume that Sodinokibi being a new ransomware, attackers could have set another constraint as a backup method to use compromised devices.
Tags Oracleciscozero exploits of the dayTalos Intelligence
More about CiscoOracleTwitter
[ad_2]
Source link