CISA calls on government agencies to urgently update vulnerable systems.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Oracle WebLogic Server to its catalog of Known Exploited Vulnerabilities (KEV). This is done on the basis of available evidence of active exploitation of the vulnerability by intruders.
Vulnerability CVE-2017-3506 with a risk rating of 7.4 on the CVSS scale is a vulnerability for implementing operational commands in Oracle WebLogic Server. It allows attackers to execute arbitrary code on vulnerable servers by sending a specially crafted HTTP request with a malicious XML document. As a result, attackers can gain unauthorized access and full control over compromised systems.
According to cybersecurity experts, the Chinese hacker group 8220 Gang, also known as Water Sigbin, has been exploiting this vulnerability since the beginning of 2022. Hackers use it to deploy a botnet for mining cryptocurrencies by infecting uncorrected and vulnerable systems.
Trend Micro experts note that the 8220 Gang uses advanced code obfuscation techniques and sophisticated scripts to secretly deliver malicious payloads to the attacked systems. In particular, URL encoding in hexadecimal format is used, as well as delivery of payloads over HTTPS protocol via port 443 to bypass intrusion detection systems.
Malicious scripts on PowerShell and batch include sophisticated techniques for encoding and masking malicious code inside supposedly harmless scripts using environment variables.
Due to the revealed facts of active exploitation of the vulnerability CVE-2017-3506 and other critical vulnerabilities in Oracle WebLogic (CVE-2023-21839), US federal agencies are recommended to install existing fixes from Oracle by June 24, 2024. This is necessary to protect government networks from potential cyber attacks by hacker groups.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Oracle WebLogic Server to its catalog of Known Exploited Vulnerabilities (KEV). This is done on the basis of available evidence of active exploitation of the vulnerability by intruders.
Vulnerability CVE-2017-3506 with a risk rating of 7.4 on the CVSS scale is a vulnerability for implementing operational commands in Oracle WebLogic Server. It allows attackers to execute arbitrary code on vulnerable servers by sending a specially crafted HTTP request with a malicious XML document. As a result, attackers can gain unauthorized access and full control over compromised systems.
According to cybersecurity experts, the Chinese hacker group 8220 Gang, also known as Water Sigbin, has been exploiting this vulnerability since the beginning of 2022. Hackers use it to deploy a botnet for mining cryptocurrencies by infecting uncorrected and vulnerable systems.
Trend Micro experts note that the 8220 Gang uses advanced code obfuscation techniques and sophisticated scripts to secretly deliver malicious payloads to the attacked systems. In particular, URL encoding in hexadecimal format is used, as well as delivery of payloads over HTTPS protocol via port 443 to bypass intrusion detection systems.
Malicious scripts on PowerShell and batch include sophisticated techniques for encoding and masking malicious code inside supposedly harmless scripts using environment variables.
Due to the revealed facts of active exploitation of the vulnerability CVE-2017-3506 and other critical vulnerabilities in Oracle WebLogic (CVE-2023-21839), US federal agencies are recommended to install existing fixes from Oracle by June 24, 2024. This is necessary to protect government networks from potential cyber attacks by hacker groups.
