Oracle WebLogic Vulnerability Being Exploited by Bitcoin Miners
January 12, 2018
In October 2017, Oracle disclosed CVE-2017-10271—a critical vulnerability in WebLogic's 'WLS Security' component which utilizes Java. A patch was released to address the issue.
It's been widely reported that Bitcoin miners have been exploiting this vulnerability to gain access to and compromise systems. Actors have been targeting a high number of WebLogic servers being hosted on public cloud servers. Scanned ports by threat actors include TCP/80, 443, 7001, 8080, 8888, 9000.
Common vulnerable systems recently attacked have had the following versions installed:
- 10.3.6.0.0
- 12.1.3.0.0
- 12.2.1.1.0
- 12.2.1.2.0
Recommendations:
- Update to 12.2.1.3 or higher.
- Modify firewall rules to block outbound/inbound connections to ports that are not being used by the WebLogic server.
- Block the IoCs listed in the REN-ISAC advisory report and SANS ISC InfoSec forum post on the firewall and/or IPS.
Sources:
- Beware the WebLogic WLS-WSAT Component Deserialization RCE Exploit
- REN-ISAC Security Advisory
- A Story About PeopleSoft: How to Make 250k Without Leaving Home
Herjavec Group's Incident Response Services team is actively helping customers deal with the identification and remediation of this exploit.
For more information please connect with a Herjavec Group security specialist.