Tag Archive for: Oracle

DarkIRC Botnet Exploiting Oracle WebLogic Vulnerability

/in


Cybercrime
,
Cybercrime as-a-service
,
Fraud Management & Cybercrime

Researchers: Malware Offered for Sale for $75

Prajeet Nair (@prajeetspeaks) •
December 2, 2020    

DarkIRC Botnet Exploiting Oracle WebLogic Vulnerability
Underground hacking forum advertising the DarkIRC botnet malware (Source: Juniper Threat Labs)

A botnet called DarkIRC is exploiting a severe remote execution vulnerability in Oracle WebLogic for which a patch was issued almost two months ago, Juniper Threat Labs reports. Meanwhile, the malware used to create the botnet is being offered for sale on a darknet hacking forum.

See Also: Live Webinar | Securing Mobile Endpoints to Protect IP in the Pharma Industry


In addition to the DarkIRC botnet, researchers at Juniper Threat Labs are tracking four other malware variants that are trying to take advantage of the WebLogic vulnerability, including a version of the Mirai botnet and a weaponized version of the Cobalt Strike penetration testing tool.


The WebLogic flaw, tracked as CVE-2020-14882, is a remote code execution vulnerability that can be exploited over a network without the need for a username and password. A threat actor would only have to send a malicious HTTP request to the WebLogic Server’s management console to initiate the attack, according to a previous update by Oracle.


Oracle and the U.S. Cybersecurity and Infrastructure Security Agency have issued alerts about the importance of applying the patch, which has been available since October (see: CISA and Oracle Warn Over WebLogic Server…

Source…

Critical Oracle WebLogic flaw actively exploited by DarkIRC malware

/in


Critical Oracle WebLogic flaw actively exploited by DarkIRC malware

A botnet known as DarkIRC is actively targeting thousands of exposed Oracle WebLogic servers in attacks designed to exploit the CVE-2020-14882 remote code execution (RCE) vulnerability fixed by Oracle two months ago.

Almost 3,000 Oracle WebLogic servers are reachable over the Internet based on Shodan stats and allow unauthenticated attackers to execute remote code on targeted servers according to a Juniper Threat Labs report.

While attackers are currently targeting potentially vulnerable WebLogic servers using at least five different payloads, the most interesting is the DarkIRC malware “currently being sold on hack forums for $75.”

The threat actor selling the DarkIRC botnet on Hack Forums goes by the name of Freak_OG and started advertising it beginning with August 2020.

Juniper Threat Labs didn’t say that this threat actor is behind the ongoing DarkICE attacks even though the filename of one of the recently detected payloads is similar to a FUD (Fully Undetected) Crypter filename also advertised by Freak_OG earlier this month.

“We are not certain if the bot operator who attacked our honeypot is the same person who is advertising this malware in Hack Forums or one of his/her customers,” the report reads.

Infostealer and DDoS bot

DarkIRC is delivered on unpatched servers using a PowerShell script executed via an HTTP GET request in the form of a malicious binary that comes with both anti-analysis and anti-sandbox capabilities.

Before unpacking the final malware, it will first check if it’s running in a VMware, VirtualBox, VBox, QEMU, or Xen virtual machine and stop the infection process if it detects a sandbox environment.

Once unpacked, the DarkIRC bot will install itself in %APPDATA%ChromeChrome.exe and will gain persistence on the compromised device by creating an autorun entry.

DarkIRC comes with a multitude of capabilities including but not limited to keylogging, downloading files and executing commands on the infected server, credential stealing, spreading to other devices via MSSQL and RDP (brute force), SMB, or USB, as well as launching several versions of DDoS attacks.

Attackers can also use the bot as a Bitcoin clipper that allows them to change…

Source…

Oracle patches another actively-exploited WebLogic zero-day – ZDNet

/in

Oracle patches another actively-exploited WebLogic zero-day  ZDNet

New wave of attacks against Oracle WebLogic servers using a brand new zero-day detected over the weekend.

“zero day exploit” – read more