Security researchers at F5 Networks constantly monitor web traffic at various locations throughout the world. This allows us to detect current “in the wild” malware, and to get an insight into a threat actor’s attack pattern. Here’s a recap of what we saw April 2019.
Over the course of the month, we detected 12 new attack campaigns:
- Six campaigns targeted two separate Oracle WebLogic server vulnerabilities. Both CVEs (CVE-2017-10271 and CVE-2019-2725) make WebLogic servers vulnerable to unsafe deserialization, leading to remote code execution (RCE).
- Two campaigns targeting Apache Struts servers, vulnerable to an RCE in the Jakarta Multipart Parser (CVE-2017-5638). Published in 2017, this vulnerability (which resulted in the massive Equifax data breach1) is still a very common threat vector, even though a patch has been available since March 2017.
- One campaign targeting Drupal RESTful Web Services unserialize RCE (CVE-2019-6340).
- Other notable campaigns included:
- Joomla Component JBcatalog—Arbitrary File Upload: The threat actor tried to create a back door by piecing together a PHP shellcode on the vulnerable server.
- ThinkPHP Remote Code Execution (CVE-2018-20062): The threat actor instructed the server to create a PHP back door.
Oracle WebLogic Server WLS Security Component RCE (CVE-2017-10271)
Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation. According to ZoomEye, WebLogic is deployed on over 100,000 servers all over the world. As Figure 1 shows, most are located in the United States and China.
In October 2017, Oracle published a patch1 for a vulnerability in Oracle WebLogic Server and assigned CVE-2017-102712 to it. As expected, within a few days of the patch being available, Proof-of-Concept (PoC) exploits were published online. We don’t know how many of these servers are still vulnerable (unpatched), but our guess is that many are since threat actors are still targeting them and the impact of an RCE vulnerability can be very high.
The vulnerability exists in the XMLDecoder class within the WLS Security subcomponent. Before the patch for this CVE was released, weblogic/wsee/workarea/WorkContextXmlInputAdapter.java file contained a method ‘validate’. This function threw an exception when an element with Object as its type was present while parsing XML. However, this function did not contain checks for element types: new, void, array, and method. This allowed threat actors to inject serialized XML with these four element types that were not caught by exceptions in the Java file.
As we can see in Figure 2, which illustrates a new campaign we detected in April, the threat actor uses the ProcessBuilder class to download and execute a malicious file. This threat actor was previously detected exploiting Jenkins CLI SignedObject Deserialization (CVE-2017-1000353) with the same payload—a cryptominer, in this case. To read more about the payload, please refer to our February attack campaigns article.