Patch yesterday: ransomware hits Oracle WebLogic flaw to install without users clicking

Credit: ID 92722392 © Aleksandr Velichko |

A critical flaw affecting Oracle WebLogic Server that Oracle offered a patch for last week is now being targeted to install a new strain of ransomware known as Sodinokibi.    

This nasty piece of ransomware aims to encrypt a computer’s directory and attempts to undermine recovery by deleting shadow copy backups, according to researchers from Cisco’s Talos Intelligence

Oracle last Friday released an emergency patch for the then zero-day WebLogic flaw and now tracks the bug as CVE-2019-2725. The deserialization flaw, first reported by researchers at Known Sec 404, can be used by attackers for remote command execution without requiring valid credentials. 

“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” Oracle warned WebLogic admins last Friday, two months before it’s next scheduled critical patch update release. 

At the time of the patch was released it wasn’t known that the flaw was being used to install the Sodinokibi ransomware, however Talos researchers now say that first stage of the attack occurred a day prior to Oracle’s patch. That attack resulted in some customers’ files being encrypted by the ransomware, according to Talos.  

Talos’s image of the Sodinokibi attackers’ ransom page indicates a price aimed clearly at enterprise victims who would place a high value on business data. 

Before a two day deadline expires, victims can pay the equivalent of USD$2,500 in Bitcoin to unlock their data, but after the deadline passes the price doubles to USD$5,000. 

The WebLogic flaw is highly valuable for Sodinokibi’s users as it can avoid the obstacles of having victims opening an attachment or taking some other action to run the malware on a device. 

“In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses 188.166.74[.]218 and 45.55.211[.]79.”

The researchers found the exploitation of a zero-day flaw to distribute ransomware “notable” since historically ransomware attackers have relied on attacking systems that hadn’t been patched for known flaws.

“Due to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects widespread attacks involving CVE-2019-2725,” Talos researchers warned. 

Besides patching the flaw, Talos has outlined a number of actions admins should take to monitor and record potential attacks. Admins should also restrict access to accounts used to run the WebLogic process, and critically, to test data backups and recovery processes. It also recommends configuring PowerShell to only execute signed scripts. 

There is currently incomplete coverage for the Sodinokibi ransomware amongst antivirus vendors, according to Alphabet-owned Chronicle’s VirusTotal service. Currently 47 of 71 antivirus engines detect the ransomware, up from just 23 engines on the day after Oracle released its patch. 

Sodinokibi was first flagged on the day of Oracle’s patch by an independent security researcher who uses the Twitter handle @GrujaRS.

Oddly, about 8 hours after the attackers installed the Sodinokibi ransomware on WebLogic servers, they opted to install the ransomware Gandcrab v5.2. The researchers guess that because Sodinokibi is new ransomware, the attackers could have installed another strain as a backup method to cash in on compromised devices.     

Tags Oracleciscozero-day exploitsTalos Intelligence

Show Comments