CarderPlanet
Professional
Researchers at the SANS Technology Institute and Morphus Labs reported attacks on Oracle WebLogic servers. In early December 2017, unknown attackers began installing malware for mining the Monero and AEON cryptocurrencies on compromised machines, and have already managed to earn more than $ 220,000.
Experts say that attackers are using a proof-of-concept exploit for the CVE-2017-10271 vulnerability, which Oracle fixed two months ago, to penetrate the servers. According to the researchers, the choice of this particular vulnerability is not accidental. The fact is that this flaw is easy to exploit remotely, moreover, the problem allows arbitrary code to be executed on a vulnerable machine, and its criticality is estimated at 9.8 points on a ten-point scale. Several exploits are available for the problem at once (1 , 2), but the attackers chose PoC written by a Chinese information security expert, since this version is immediately equipped with an IP scanner to find vulnerable hosts.
Although all compromised Oracle WebLogic servers are owned by different companies, attackers are not interested in corporate espionage or sensitive data. Instead of installing an encryptor on the servers of companies or stealing valuable information, the attackers opted for mining.
The researchers found that there were at least two hacker groups behind the attacks, one focused on mining AEON and the other on Monero mining. But if the first group earned only $ 6,000, then their "colleagues" were more successful - Monero brought the attackers more than $ 226,000.
During the investigation, specialists managed to gain access to one of the attackers 'control servers and examine the scanners' activity logs. It turned out that attackers are primarily interested in WebLogic installations located in the clouds of Amazon, Digital Ocean, Google Cloud, Microsoft, Oracle Cloud and OVH.
