• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 27th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Hacking News

Attackers Exploit Oracle WebLogic Flaw to Mine $266K in Monero

January 12th, 2018 Waqas Hacking News, Security 0 comments
Attackers Exploit Oracle WebLogic Flaw to Mine $266K in Monero
Share on FacebookShare on Twitter

Another day, another Monero cryptomining campaign and this time attackers exploited a security flaw in Oracle Fusion Middleware.

Latest SANS Technology Institute report published on 7 January is more like a bombshell for cryptocurrency industry. It reveals the findings of Morphus Labs researcher Renato Marinho, according to which a new globally active cybercrime campaign is underway attacking Monero cryptocurrency.

Marinho explains that Monero miners are being deployed on hundreds of computers by exploiting a flaw that is present in Oracle Fusion Middleware’s supported and unsupported versions. There are multiple attackers involved and prime targets happen to be PeopleSoft and WebLogic servers.

The attackers leverage a Web application server flaw (CVE-2017-10271) that Oracle claims was patched in October 2017. The proof-of-concept exploits for this vulnerability was published by Chinese security expert Lian Zhang in December 2017, which has probably been leveraged by the attackers to launch this campaign. That’s because as soon as the proof-of-concept was published, reports of installation of cryptominers started pouring in; these reports came from diverse servers some of which were already compromised servers. These servers were hosted by Athenix, GoDaddy, and Digital Ocean.

This exploit is quite easy to execute since a Bash script is used to make scanning for potential targets easy and effective. Reportedly, the vulnerability is affecting four supported versions of Oracle Fusion Middleware including 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 along with one unsupported and unpatched version 10.3.3.0. Marinho notes that the dropper script that downloads the miner in this campaign kills the WebLogic services on the targeted device, which alerted some of the victims. It is also revealed that the attacks started in December, soon after Zhang’s proof-of-concept was made public.

“Lian’s post may not be the first, but this looks like the exploit that was used in the attack discussed here, and the post appears to have started an increased interest in this flaw,” wrote Ulrich.

Currently, there is no evidence of loss of data from the compromised machines and it seems that the exploit’s primary purpose is to mine cryptocurrencies. As per the analysis of Johannes B. Ulrich, SANS’ Dean of Research, at least 611 Monero coins were obtained by an attacker, approx. $226,000.

Ulrich noted that the scope of this campaign is quite wide and this means the victims are also distributed worldwide. However, Ulrich doesn’t think that this is a targeted campaign because after the exploit’s proof-of-concept made it to the internet, anyone having some sort of scripting skills could attack WebLogic/PeopleSoft servers.

The attacker installs a legit Monero mining software package dubbed as xmrig on nearly 722 vulnerable PeopleSoft and WebLogic systems, most of which run on public cloud services, whereas over 140 systems were in Amazon Web Services public cloud. There are other smaller servers 30 of which are on Oracle’s public cloud service.

Ulrich suggests that victims need to patch their servers so as to end their response to intrusions and deleting the miner.

  • Tags
  • Cryptocurrency
  • Cyber Crime
  • hacking
  • Malware
  • Monero
  • Oracle
  • Scam
  • security
  • Vulnerability
Facebook Twitter LinkedIn Pinterest
Previous article Critical Intel AMT Flaw Lets Attackers Hack Laptops in Mere Seconds
Next article 60 Android apps for kids found infected with Pornographic malware
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
World's Most 'Resilient Malware' Botnet Emotet Taken Down

World's Most 'Resilient Malware' Botnet Emotet Taken Down

Top Cybersecurity Threats to Watch in 2021

Top Cybersecurity Threats to Watch in 2021

Database of 176 million Pakistani mobile phone users sold online

Database of 176 million Pakistani mobile phone users sold online

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Transferring Whatsapp data from iPhone to Android with MobileTrans
How To

Transferring Whatsapp data from iPhone to Android with MobileTrans

16
World's Most 'Resilient Malware' Botnet Emotet Taken Down
Cyber Crime

World's Most 'Resilient Malware' Botnet Emotet Taken Down

50
Top Cybersecurity Threats to Watch in 2021
Cyber Crime

Top Cybersecurity Threats to Watch in 2021

41

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us