Critical Oracle WebLogic flaw actively exploited by DarkIRC malware

Critical Oracle WebLogic flaw actively exploited by DarkIRC malware

A botnet known as DarkIRC is actively targeting thousands of exposed Oracle WebLogic servers in attacks designed to exploit the CVE-2020-14882 remote code execution (RCE) vulnerability fixed by Oracle two months ago.

Almost 3,000 Oracle WebLogic servers are reachable over the Internet based on Shodan stats and allow unauthenticated attackers to execute remote code on targeted servers according to a Juniper Threat Labs report.

While attackers are currently targeting potentially vulnerable WebLogic servers using at least five different payloads, the most interesting is the DarkIRC malware “currently being sold on hack forums for $75.”

The threat actor selling the DarkIRC botnet on Hack Forums goes by the name of Freak_OG and started advertising it beginning with August 2020.

Juniper Threat Labs didn’t say that this threat actor is behind the ongoing DarkICE attacks even though the filename of one of the recently detected payloads is similar to a FUD (Fully Undetected) Crypter filename also advertised by Freak_OG earlier this month.

“We are not certain if the bot operator who attacked our honeypot is the same person who is advertising this malware in Hack Forums or one of his/her customers,” the report reads.

Infostealer and DDoS bot

DarkIRC is delivered on unpatched servers using a PowerShell script executed via an HTTP GET request in the form of a malicious binary that comes with both anti-analysis and anti-sandbox capabilities.

Before unpacking the final malware, it will first check if it’s running in a VMware, VirtualBox, VBox, QEMU, or Xen virtual machine and stop the infection process if it detects a sandbox environment.

Once unpacked, the DarkIRC bot will install itself in %APPDATA%ChromeChrome.exe and will gain persistence on the compromised device by creating an autorun entry.

DarkIRC comes with a multitude of capabilities including but not limited to keylogging, downloading files and executing commands on the infected server, credential stealing, spreading to other devices via MSSQL and RDP (brute force), SMB, or USB, as well as launching several versions of DDoS attacks.

Attackers can also use the bot as a Bitcoin clipper that allows them to change…


Google discloses Windows zero-day exploited in the wild

Security researchers from Google have disclosed today a zero-day vulnerability in the Windows operating system that is currently under active exploitation.

The zero-day is expected to be patched on November 10, which is the date of Microsoft’s next Patch Tuesday, according to Ben Hawkes, team lead for Project Zero, Google’s elite vulnerability research team.

On Twitter, Hawkes said the Windows zero-day (tracked as CVE-2020-17087) was used as part of a two-punch attack, together with another a Chrome zero-day (tracked as CVE-2020-15999) that his team disclosed last week.

The Chrome zero-day was used to allow attackers to run malicious code inside Chrome, while the Windows zero-day was the second part of this attack, allowing threat actors to escape Chrome’s secure container and run code on the underlying operating system — in what security experts call a sandbox escape.

The Google Project Zero team notified Microsoft last week and gave the company seven days to patch the bug. Details were published today, as Microsoft did not release a patch in the allotted time.

Windows 7 to Windows 10 are impacted

According to Google’s report, the zero-day is a bug in the Windows kernel that can be exploited to elevate an attacker’s code with additional permissions.

Per the report, the vulnerability impacts all Windows versions between Windows 7 and the most recent Windows 10 release.

Proof of concept code to reproduce attacks was also include.

Hawkes did not provide details about who was using these two zero-days. Usually, most zero-days are discovered by nation-sponsored hacking groups or large cybercrime groups.

Per the same Google report, the attacks were also confirmed by a…


WordPress security: Zero-day flaw in File Manager plugin actively exploited – The Daily Swig

WordPress security: Zero-day flaw in File Manager plugin actively exploited  The Daily Swig
“zero day exploit” – read more