Oracle WebLogic Vulnerability Being Exploited by Bitcoin Miners
In October 2017, Oracle disclosed CVE-2017-10271—a critical vulnerability in WebLogic’s ‘WLS Security’ component which utilizes Java. A patch was released to address the issue.
It’s been widely reported that Bitcoin miners have been exploiting this vulnerability to gain access to and compromise systems. Actors have been targeting a high number of WebLogic servers being hosted on public cloud servers. Scanned ports by threat actors include TCP/80, 443, 7001, 8080, 8888, 9000.
Common vulnerable systems recently attacked have had the following versions installed:
- Update to 18.104.22.168 or higher.
- Modify firewall rules to block outbound/inbound connections to ports that are not being used by the WebLogic server.
- Block the IoCs listed in the REN-ISAC advisory report and SANS ISC InfoSec forum post on the firewall and/or IPS.
- Beware the WebLogic WLS-WSAT Component Deserialization RCE Exploit
- REN-ISAC Security Advisory
- A Story About PeopleSoft: How to Make 250k Without Leaving Home
Herjavec Group’s Incident Response Services team is actively helping customers deal with the identification and remediation of this exploit.
For more information please connect with a Herjavec Group security specialist.
About Herjavec Group
Dynamic IT entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. Herjavec Group delivers SOC 2 Type 2 certified managed security services supported by state-of-the-art, PCI compliant, Security Operations Centers, operated 24/7/365 by certified security professionals. This expertise is coupled with leadership positions across a wide range of functions including consulting, professional services & incident response. Herjavec Group has offices globally including across the United States, the United Kingdom, and Canada. For more information, visit www.herjavecgroup.com.