Threat Management, Malware, Ransomware, Vulnerability Management

New Sodinokibi ransomware delivered via Oracle WebLogic vulnerability

A remotely exploitable vulnerability in the Oracle WebLogic Server is currently the attack vector of choice for malicious actors to deliver a newly discovered ransomware called Sodinokibi.

Sokinokibi encrypts data found in the user directory and leverages the Microsoft Windows vssadmin.exe utility to delete any "shadow copies" (created by default back-up mechanisms) in order to prevent data recovery, researchers from Cisco's Talos threat research group have reported in a company blog post. The malware's ransom note directs victims to either a .onion website or to the public domain decryptor[.]top to make a payment for a decryption program.

The server vulnerability, CVE-2019-2725, is a critical remote code execution flaw that is caused by a deserialization error. Oracle patched the bug in an April 26 out-of-band security update, after it was discovered that adversaries had been exploiting it earlier that month as a zero-day.

WebLogic users who have not downloaded the update remain prone to attack. Attackers can simply cause the servers to download a copy of Sodinokibi from a malicious IP address, without even having to trick the victim into performing an unsafe action.

In a case Talos has been investigating, the Sokinokibi actors first initiated their ransomware attack on April 25, the day before Oracle issued its security update.

"Due to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects widespread attacks involving CVE-2019-272," states the blog post, co-authored by researchers Pierre Cadieux, Colin Grady, Jaeson Schultz and Matt Valites.

During their investigation into one particular Sodinokibi infection, the researchers noticed the attackers attempted to exploit the WebLogic flaw a second time to infect the same victim with the better known Gandcrab ransomware

"Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab," wrote the researchers, who in their blog post list a series of recommended countermeasures to defend against the attack.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.