Attacks on Oracle WebLogic Servers Detected After Publication of PoC Code

Oracle WebLogic servers are under attack from hackers who are trying to take over vulnerable installations that have not received a recent patch for a critical vulnerability.

The security bug at the heart of these hacking attempts is CVE-2018-2893, a vulnerability in a component of the Oracle WebLogic middleware that allows an attacker to gain control over the entire server without having to know its password.

The vulnerability has received a "critical" level and a severity score of 9.8 out of 10 on the CVSv3 severity scale due to its consequences, remote exploitation factor, and ease of exploitation.

Details about this vulnerability were never made public, and Oracle released patches for this bug on July 18, last week.

PoC publication fuels attack wave

But three days later, several proof-of-concept (PoC) exploits have been published online by various individuals. Bleeping Computer has tracked at least three different PoCs, with two still being available online at this article's publication [1, 2], while a third has been taken down less than a day after it was published on GitHub last Friday.

As it happened many times in the past with many other vulnerabilities, the availability of this PoC code has led to a rise in exploitation attempts.

First exploitation attempts started on Saturday, July 21, after news of the PoCs' existence spread on social media. Since then, attacks have slowly ramped up.

At least two groups exploiting this at scale

Security researchers from ISC SANS and Qihoo 360 Netlab are currently tracking two separate groups who appear to have automated the exploitation routine and are conducting these hacks at a large scale.

Server owners are advised to apply the Oracle July 2018 CPU updates as soon as possible, and especially the patches for CVE-2018-2893. Oracle WebLogic servers running versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 are known to be vulnerable and will need the patch.

Attackers are exploiting this flaw via port 7001, so website owners may want to block external access to that port inside their networks until they apply the patch.

Third Oracle WebLogic flaw exploited in the past year

These attacks are also not the first time that hackers have jumped on an Oracle WebLogic server vulnerability. Miscreants have, in a similar fashion, used recently published PoC code for CVE-2017-10271 to take over servers and make them run cryptocurrency miners. Just one group alone made last year over $226,000 by exploiting this one flaw.

Hackers have also exploited another WebLogic flaw, CVE-2018-2628, in April after security researchers discovered that Oracle botched the patch and that servers remained vulnerable.

Cryptocurrency mining was also the main reason for the attacks in April and is most likely the main threat right now as well.