Delaware, USA – July 24, 2018 – Last week, Oracle released the update closing critical vulnerabilities in WebLogic servers, that can allow attackers to easily gain control over the entire server by dropping jsp backdoor without the need to use credentials. A few days later several proof-of-concept exploits for patched vulnerabilities were published on the web, which resulted in a wave of attacks. The first attempts of PoC exploitation were discovered on Saturday, July 21, and shortly the researchers from Qihoo 360 Netlab and ISC SANS discovered two large-scale campaigns exploiting CVE-2018-2893 vulnerability. In both cases, attackers use a public PoC exploit to install a backdoor and infect the servers with Monero cryptocurrency miner. Earlier this year, Oracle WebLogic servers were targeted by two successful malicious campaigns exploited previously patched vulnerabilities.
To protect against ongoing campaigns, it is necessary to install the latest updates. It is also recommended blocking external access to port 7001. Then you need to make sure that the backdoor is not installed on your Oracle WebLogic server, and you can use your ArcSight with Web Application Security Framework to detect misuse of servers and breach attempts. Also, you can use the new Sigma rule created by Florian Roth to uncover the exploitation of the vulnerability in Oracle WebLogic: https://tdm.socprime.com/sigma/generate/CwLfxmQBqfpvXJhT3g7_/