A remotely exploitable vulnerability in the Oracle WebLogic Server is currently the attack vector of choice for malicious actors to deliver a newly discovered ransomware called Sodinokibi.
Sokinokibi encrypts data found in the user directory and leverages the Microsoft Windows vssadmin.exe utility to delete any “shadow copies” (created by default back-up mechanisms) in order to prevent data recovery, researchers from Cisco’s Talos threat research group have reported in a company blog post. The malware’s ransom note directs victims to either a .onion website or to the public domain decryptor[.]top to make a payment for a decryption program.
The server vulnerability, CVE-2019-2725, is a critical remote code execution flaw that is caused by a deserialization error. Oracle patched the bug in an April 26 out-of-band security update, after it was discovered that adversaries had been exploiting it earlier that month as a zero-day.
WebLogic users who have not downloaded the update remain prone to attack. Attackers can simply cause the servers to download a copy of Sodinokibi from a malicious IP address, without even having to trick the victim into performing an unsafe action.
In a case Talos has been investigating, the Sokinokibi actors first initiated their ransomware attack on April 25, the day before Oracle issued its security update.
“Due to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects widespread attacks involving CVE-2019-272,” states the blog post, co-authored by researchers Pierre Cadieux, Colin Grady, Jaeson Schultz and Matt Valites.
During their investigation into one particular Sodinokibi infection, the researchers noticed the attackers attempted to exploit the WebLogic flaw a second time to infect the same victim with the better known Gandcrab ransomware
“Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab,” wrote the researchers, who in their blog post list a series of recommended countermeasures to defend against the attack.