A vulnerability in Oracle WebLogic Server is being exploited in the wild by a new ransomware variant named Sodinokibi.
On April 26, Oracle released an out-of-band patch to address the vulnerability (CVE-2019-2725). There have been several reported cases of the vulnerability being exploited in the wild. Oracle WebLogic Server is part of Oracle Middleware, a widely-used digital business platform.
Despite the threat posed by the vulnerability, many enterprises have been slow to apply the patch, rendering them vulnerable to attack.
According to researchers at Cisco Talos, the first Sodinokibi ransomware attacks occurred on April 21, 2019. The ransomware was first detected by security researchers a day before Oracle issued the patch. Sodinokibi ransomware had not been used in any attacks before those exploiting the Oracle zero-day vulnerability.
Sodinokibi ransomware encrypts files and debilitates recovery efforts by deleting backups. The malware works using the legitimate Windows tool vssadmin.exe, which is used for managing shadow copies. The attackers use vssadmin to access and delete shadow copies to prevent recovery, thereby placing extra pressure on the victim to pay the ransom demand.
CVE-2019-2725 can be exploited remotely with no user interaction required. The threat actors behind the latest campaign have been scanning for vulnerable servers. When a server is identified, an HTTP POST request is sent to the server that contains a PowerShell command that downloads and runs the ransomware.
Each successful attack sees encrypted files given a unique alphanumeric extension. Attacked companies can be identified, and ransom demands are set accordingly by the attackers. The ransom demands issued so far have varied considerably, as has the time given to pay the ransom.
Some victims have been given two days, others six. The threat actors double the amount of the ransom is not paid within a certain timeframe. So far, the hackers have demanded ransoms of $1,500 and $2,500 in Bitcoin.
The attacks are expected to increase due to the widespread use of Oracle Weblogic Server and the ease at which the vulnerability can be exploited. Further, CVE-2019-2725 is also being exploited to spread cryptocurrency mining malware and other malware variants.
Organisations using Oracle Weblogic Server are advised to adopt the Oracle patch to be applied as soon as possible.