Oracle WebLogic hackers pick Monero mining over ransomware

A group of criminals earned nearly $250,000 by installing a cryptocurrency miner on vulnerable Oracle WebLogic and People Soft servers. 

Morphus Labs chief research officer Renato Marinho reported this week on an uptick in attacks on enterprise servers that exploit a critical WebLogic flaw that Oracle patched in October. But thanks to an exploit published by a Chinese researcher in December, hundreds of un-patched WebLogic and PeopleSoft servers across the globe have been co-opted as mining bots, boosting the attacker's capacity to mine the Bitcoin alternative Monero. 

Surprisingly, the WebLogic vulnerability allows the attackers to steal data from affected PeopleSoft systems, or even install ransomware, yet the group so far has only use the vulnerability to install a Monero miner. And it’s paying off. 

One of the operations using the WebLogic exploit has so far mined 611 Monero that are worth about $226,070 currently. The WebLogic exploit helped boost the number of mining bots to work for the attackers, however it’s likely many of these Monero were mined prior to December. Another group using the same exploit was mining AEON but had only earned abut $6,000. 

Marinho figures the compromised machines were detected because the script that downloads the Monero miner “accidentally” kills the WebLogic service after compromise. WebLogic is a Java EE application server and the script replaces its java binary with the Monero miner xmrig — a legitimate miner that the attackers are illegitimately using on others’ hardware. 

On January 2 an admin posted a report on Oracle’s support forum documenting the same Monero attack after discovering errors that shutdown a WebLogic Service and an Oracle Access Management Server.  

Marinho has found hundreds of attacked WebLogic and PeopleSoft servers around the world, which are mostly hosted on cloud services, such as AWS, Digital Ocean, Google, Microsoft, Oracle Cloud and OVH.   

In a follow up analysis Johannes Ullrich, dean of research at the SANS Institute, said the attacks rely on an exploit developed and published by Chinese security researcher Lian Zhang in late December. The vulnerability it targets, CVE-2017-10271, has a CVSS score of 9.8 and is easily exploitable. 

“Once the exploit was published, anybody with limited scripting skills was able to participate in taking down WebLogic (/PeopleSoft) servers,” wrote Ullrich. 

Both Ullrich and Marinho were surprised the attackers didn’t use the exploit to cause more damage, especially given the data hosted on PeopleSoft servers. 

“PeopleSoft itself is a complex enterprise process management system. The name implies human resource functions, but the software goes way beyond simple HR features. Typically, “everything” in an organization lives in PeopleSoft,” said Ullrich. 

“An attacker would probably have been able to do a lot more damage to an organization by exfiltrating the data that lives on the system, or worse, modify it.”

Tags OracleWebLogicpeoplesoftSANS Institute's Internet Storm Centre

Show Comments