Oracle WebLogic Vulnerability Being Exploited by Bitcoin Miners

January 12, 2018

In October 2017, Oracle disclosed CVE-2017-10271—a critical vulnerability in WebLogic's 'WLS Security' component which utilizes Java. A patch was released to address the issue.

It's been widely reported that Bitcoin miners have been exploiting this vulnerability to gain access to and compromise systems.  Actors have been targeting a high number of WebLogic servers being hosted on public cloud servers. Scanned ports by threat actors include TCP/80, 443, 7001, 8080, 8888, 9000.

Common vulnerable systems recently attacked have had the following versions installed: 

  • 10.3.6.0.0
  • 12.1.3.0.0
  • 12.2.1.1.0
  • 12.2.1.2.0

Recommendations:

  • Update to 12.2.1.3 or higher.
  • Modify firewall rules to block outbound/inbound connections to ports that are not being used by the WebLogic server.
  • Block the IoCs listed in the REN-ISAC advisory report and SANS ISC InfoSec forum post on the firewall and/or IPS. 

Sources:

Herjavec Group's Incident Response Services team is actively helping customers deal with the identification and remediation of this exploit.

For more information please connect with a Herjavec Group security specialist


About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn