Analysis Summary

Citing evidence of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a vulnerability affecting the Oracle WebLogic Server to the Known Exploited Vulnerabilities (KEV) database. The flaw, identified as CVE-2017-3506 (CVSS score: 7.4), is related to an operating system (OS) command injection vulnerability that might be used to get full control of vulnerable servers and gain unauthorized access.

An OS command injection vulnerability in Oracle WebLogic Server, a component of the Fusion Middleware suite, enables an attacker to run any code by sending a specially constructed HTTP request that contains a malicious XML document.

The Chinese cryptojacking group known as the 8220 Gang (also known as Water Sigbin) has a history of using the vulnerability to turn unpatched devices into a botnet that mines cryptocurrency, even if the agency did not reveal the type of assaults that were taking advantage of it. This was done as early as last year. The 8220 Gang has been observed exploiting vulnerabilities in the Oracle WebLogic Server (CVE-2017-3506 and CVE-2023-21839) to launch a cryptocurrency miner filelessly in memory using a shell or PowerShell script, depending on the operating system targeted.

The group used obfuscation techniques, like HTTP via port 443 and hexadecimal encoding of URLs, to transmit payloads covertly. Complex encoding was used in the PowerShell script and the batch file that it produced, concealing malicious code within what appeared to be harmless script elements utilizing environment variables.

Given that CVE-2024-1086 and CVE-2024-24919 are already being exploited actively, it is advised that government agencies deploy the most recent updates before June 24, 2024, to safeguard their networks from future risks.

Impact

• Unauthorized Access
• Command Execution
• Cryptocurrency Theft
• Financial Loss

Indicators of Compromise

CVE

• CVE-2017-3506

Affected Vendors

Remediation

• Refer to Oracle Critical Patch Update Advisory for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the aforementioned vulnerabilities and apply the available security patches or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.