On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) incorporated a security defect impacting the Oracle WebLogic Server into the Known Exploited Vulnerabilities (KEV) catalog, prompted by verified active exploitation.
Designated as CVE-2017-3506 (CVSS score: 7.4), this issue pertains to an OS command injection vulnerability that can be leveraged to gain illicit access to vulnerable servers and commandeer them entirely.
“Oracle WebLogic Server, a constituent of the Fusion Middleware suite, harbors an OS command injection flaw, enabling adversaries to execute arbitrary code through a meticulously crafted HTTP request embedding a nefarious XML document,” stated CISA.
Although CISA refrained from divulging the specifics of the attacks utilizing this flaw, the cryptojacking syndicate known as the 8220 Gang (also referred to as Water Sigbin), based in China, has a documented history of exploiting this vulnerability since early last year to conscript unpatched devices into a crypto-mining botnet.
Per a recent Trend Micro report, the 8220 Gang has been seen weaponizing vulnerabilities in the Oracle WebLogic server (CVE-2017-3506 and CVE-2023-21839) to clandestinely initiate a cryptocurrency miner in memory via shell or PowerShell scripts, contingent upon the targeted operating system.
“The gang utilized obfuscation methodologies, such as hexadecimal encoding of URLs and employing HTTP over port 443, facilitating covert payload dissemination,” elucidated security researcher Sunil Bharti. “The PowerShell script and resultant batch file were intricately encoded, employing environment variables to mask malicious code within ostensibly innocuous script components.”
Given the ongoing exploitation of CVE-2017-3506, federal entities are urged to implement the latest patches by June 24, 2024, to fortify their networks against prospective threats.
