The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added a safety flaw impacting the Oracle WebLogic Server to the Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
Tracked as CVE-2017-3506 (CVSS rating: 7.4), the problem considerations an working system (OS) command injection vulnerability that could possibly be exploited to acquire unauthorized entry to inclined servers and take full management.
“Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document,” CISA mentioned.
Whereas the company didn’t disclose the character of assaults exploiting the vulnerability, the China-based cryptojacking group referred to as the 8220 Gang (aka Water Sigbin) has a historical past of leveraging it since early final yr to co-opt unpatched gadgets right into a crypto-mining botnet.
In line with a latest report revealed by Pattern Micro, the 8220 Gang has been noticed weaponizing flaws within the Oracle WebLogic server (CVE-2017-3506 and CVE-2023-21839) to launch a cryptocurrency miner filelessly in reminiscence via a shell or PowerShell script relying on the working system focused.
“The gang employed obfuscation techniques, such as hexadecimal encoding of URLs and using HTTP over port 443, allowing for stealthy payload delivery,” safety researcher Sunil Bharti mentioned. “The PowerShell script and the resulting batch file involved complex encoding, using environment variables to hide malicious code within seemingly benign script components.”
In gentle of the energetic exploitation of CVE-2024-1086 and CVE-2024-24919, federal businesses are beneficial to use the most recent fixes by June 24, 2024, to guard their networks towards potential threats.
