pixel_dreams - Fotolia
A cyber criminal campaign is deploying Monero cryptocurrency miners on hundreds of victims’ machines by exploiting a flaw in unpatched versions of Oracle’s Fusion Middleware, security researchers have warned.
The exploit is simple to execute and comes with a Bash script to make it easy to scan for potential victims, according to Renato Marinho, security researcher at Morphus Labs.
The vulnerability affects four supported versions of Oracle Fusion Middleware – 10.3.6.0.0, 188.8.131.52.0, 184.108.40.206.0 and 220.127.116.11.0 – and at least one unsupported version (10.3.3.0) for which there is no patch.
Cryptomining is a process used to generate Bitcoin, Monero and other cryptocurrencies. It requires huge amounts of computer processing power, which slows down performance.
As cryptocurrency prices have begun to skyrocket, particularly Bitcoin, cyber criminals have started using cryptominers to make money.
Often, the only indications that a machine is being hijacked to mine cryptocurrencies is reduced performance, a spike in CPU usage, or unusual increases in temperature.
However, the dropper script used to download the miner in the Monero-generating campaign accidentally kills the WebLogic service on target machines, which may have alerted some victims, Marinho wrote in a SANS ISC InfoSec Forums blog post.
The attacks appear to have begun in December after Chinese security researcher Lian Zhang published a proof-of-concept exploit, according to Johannes Ullrich, dean of research at the SANS Technology Institute.
“Lian’s post may not be the first, but this looks like the exploit that was used in the attack discussed here, and the post appears to have started an increased interest in this flaw,” he wrote in a blog post.
According to Ullrich, the miner being used in the campaign is xmrig, which is a legitimate cryptocoin miner for Monero.
The exploited vulnerability affects WebLogic, but the researchers also found some PeopleSoft servers exploited in the same way.
In January alone, the researchers were able to identify 722 affected computers, with a high concentration of affected IP addresses at cloud providers.
“This isn’t a surprise since many organisations are moving their most critical data to the cloud to make it easier for the bad guys to get to it,” wrote Ullrich.
The attack does not appear to be targeted, with victims distributed worldwide, including the UK. “Once the exploit was published, anybody with limited scripting skills was able to participate in taking down WebLogic (/PeopleSoft) servers,” he wrote.
Ullrich said victims should not attempt to fix the issue by only removing the mining software and patching their server. “Your server was vulnerable to an easily executed remote code execution exploit,” he wrote. “It is very likely that more sophisticated attackers used this to gain a persistent foothold on the system.”
The researchers also warned that the WebLogic vulnerability could be exploited to do other things beyond installing a cryptocurrency miner because it enables any unauthenticated remote attacker to execute remote arbitrary commands with the privileges of the WebLogic server user.
Any WebLogic and PeopleSoft servers that have still not installed the patch could be target by attacks exploiting the flaw, the researchers warned.
“In this case, the campaign objective is to mine cryptocurrencies, but, of course, the vulnerability and exploit can be used for other purposes,” said Marinho. “Check your environment for this vulnerability and, if necessary, apply the patches as soon as possible.”
He also recommended that organisations check whether a vulnerable environment may already have been compromised by carefully analysing processes with a high and constant CPU consumption.