New Sodinokibi ransomware delivered via Oracle WebLogic vulnerability

May 1, 2019

A remotely exploitable vulnerability in the Oracle WebLogic Server is currently the attack vector of choice for malicious actors to deliver a newly discovered ransomware called Sodinokibi.

Sokinokibi encrypts data found in the user directory and leverages the Microsoft Windows vssadmin.exe utility to delete any "shadow copies" (created by default back-up mechanisms) in order to prevent data recovery, researchers from Cisco's Talos threat research group have reported in a company blog post. The malware's ransom note directs victims to either a .onion website or to the public domain decryptor[.]top to make a payment for a decryption program.

The server vulnerability, CVE-2019-2725, is a critical remote code execution flaw that is caused by a deserialization error. Oracle patched the bug in an April 26 out-of-band security update, after it was discovered that adversaries had been exploiting it earlier that month as a zero-day.

WebLogic users who have not downloaded the update remain prone to attack. Attackers can simply cause the servers to download a copy of Sodinokibi from a malicious IP address, without even having to trick the victim into performing an unsafe action.

In a case Talos has been investigating, the Sokinokibi actors first initiated their ransomware attack on April 25, the day before Oracle issued its security update.

"Due to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects widespread attacks involving CVE-2019-272," states the blog post, co-authored by researchers Pierre Cadieux, Colin Grady, Jaeson Schultz and Matt Valites.

During their investigation into one particular Sodinokibi infection, the researchers noticed the attackers attempted to exploit the WebLogic flaw a second time to infect the same victim with the better known Gandcrab ransomware

"Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab," wrote the researchers, who in their blog post list a series of recommended countermeasures to defend against the attack.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

New Sodinokibi ransomware delivered via Oracle WebLogic vulnerability

Related

Over 2.5M individuals impacted by Harvard Pilgrim Health Care ransomware attack

ALPHV/BlackCat ransomware attack against Casepoint under investigation

LatAm email accounts targeted by novel Horabot malware campaign

Related Events

Beauty in the Basics: Battling advanced ATO schemes with simple practices

Evening the Odds Against Overpowered Cyber Adversaries: A Business Impact Analysis

2023 CISO Cybersecurity Priorities

Get daily email updates