Oracle WebLogic Server OS Command Injection Flaw is Under Active Attack

04 June 2024Press releaseNetwork Security / Cryptocurrency

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a vulnerability affecting the Oracle WebLogic Server to the catalog of known exploited vulnerabilities (KEV), citing indications of active exploitation.

The issue is tracked as CVE-2017-3506 (CVSS score: 7.4) and concerns a command-line vulnerability in the operating system (OS) that could be exploited to gain unauthorized access to vulnerable servers and take complete control.

“Oracle WebLogic Server, a product of the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that contains a malicious XML document,” CISA said.

While the agency did not disclose the type of attacks exploiting this vulnerability, the China-based cryptojacking group known as the 8220 Gang (aka Water Sigbin) has been exploiting this vulnerability since early last year to incorporate unpatched devices into a crypto mining botnet.

According to a recent report published by Trend Micro, the 8220 Gang was observed exploiting vulnerabilities in Oracle WebLogic Server (CVE-2017-3506 and CVE-2023-21839) to launch a fileless cryptocurrency miner in memory using a shell or PowerShell script, depending on the target operating system.

“The gang used obfuscation techniques such as hexadecimal encryption of URLs and use of HTTP over port 443, which enabled stealthy delivery of the payload,” said security researcher Sunil Bharti. “The PowerShell script and resulting batch file included complex encryption and used environment variables to hide malicious code in seemingly innocuous script components.”

Given the active exploitation of CVE-2017-3506, federal agencies are advised to apply the latest fixes by June 24, 2024 to protect their networks from potential threats.