Oracle WebLogic

A group of hackers has made over a quarter-million dollars worth of Monero by breaking into Oracle WebLogic servers and installing a cryptocurrency miner.

The attacks have been going on since early December 2017, according to experts at the SANS Technology Institute and Morphus Labs.

Attacks fueled by CVE-2017-10271 PoC code

Attackers used recently leaked proof-of-concept exploit code for the CVE-2017-10271 vulnerability in Oracle WebLogic servers, which Oracle patched two months before as part of the Oracle Critical Patch Update (CPU) - October 2017.

The vulnerability attackers chose wasn't by accident, as it had a severity score of 9.8 out of 10, meaning it was both easy to exploit via the Internet and allowed attackers to execute malicious code on the server and take over the underlying machine.

Different exploits are available online as of writing [1, 2], but SANS expert Johannes B. Ullrich says attackers chose one created by Chinese security researcher Lian Zhang because it also included an IP scanner that searched for vulnerable hosts.

Hackers breach corporate networks but don't steal anything

The victims are almost all enterprises, as WebLogic —a Java EE application server— has little utility outside of corporate networks and Intranets.

What surprised Ullrich and Morphus Labs researcher Renato Marinho was that despite using the exploit to gain full access to corporate networks, attackers chose only to install a cryptocurrency miner, and did not attempt to steal highly-valuable corporate data, install ransomware, or backdoor trojans.

In some cases, the two researchers said attackers also compromised PeopleSoft installations, a high-grade enterprise management platform that works on top of a WebLogic instance, and which holds large amounts of corporate data.

Despite this, attackers chose to mine cryptocurrency in the server's background, hoping that nobody notices the server's high CPU use.

Hackers mined AEON and Monero

In the incidents Marinho and Ullrich analyzed, the two identified two groups. One who mined for a digital currency called AEON, and another who mined the more famous Monero. While the AEON group made around $6,000, the Monero group was far more successful, mining at least 611 Monero, or over $226,000.

Marinho and Ullrich also managed to gain access to one of the attackers' servers and obtained a log of the scanner's activity. The two say the hackers mainly hit WebLogic instances hosted on cloud infrastructures such as Amazon, Digital Ocean, Google Cloud, Microsoft, Oracle Cloud, or OVH.

Besides the findings of Marinho and Ullrich, Japanese security researcher Morihisa also wrote about the WebLogic attacks.