March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – CVE-2019-2725 – WebLogic Server Remote Code Execution Vulnerability
May 2, 2019Rewterz Threat Alert – Recent OilRig Activity – IoCs
May 2, 2019Rewterz Threat Advisory – CVE-2019-2725 – WebLogic Server Remote Code Execution Vulnerability
May 2, 2019Rewterz Threat Alert – Recent OilRig Activity – IoCs
May 2, 2019
Severity
High
Analysis Summary
A recently disclosed vulnerability in Oracle WebLogic server that we reported earlier today is being actively exploited to install a new variant of ransomware called “Sodinokibi.” This ransomware attempts to encrypt data in a user’s directory and deletes shadow copy backups to make data recovery more difficult.
The vendor has released a patch for this vulnerability. It’s an easily exploitable flaw as anyone with HTTP access to the WebLogic server could carry out an attack. When the ransomware successfully infected a machine, it left the following ransom note, attached as a sample:
Indicators of Compromise are given below. The Attacker’s IP address was reported by Cisco’s Talos Blog as follows:
This IP has previously been reported multiple times, as seen on https://www.abuseipdb.com/check/130.61.54.136.
Impact
Files Encryption
Indicators of Compromise
IP(s) / Hostname(s)
130.61.54[.]136
URLs
- hxxp[:]//188[.]166[.]74[[.]]218/office[.]exe
- hxxp[:]//188[.]166[.]74[[.]]218/radm[.]exe
- hxxp[:]//188[.]166[.]74[[.]]218/untitled[.]exe
- hxxp[:]//45[.]55[.]211[[.]]79/[.]cache/untitled[.]exe
- decryptor[.]top
Malware Hash (MD5/SHA1/SH256)
- 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d
- 34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160
- 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac
- 95ac3903127b74f8e4d73d987f5e3736f5bdd909ba756260e187b6bf53fb1a05
- fa2bccdb9db2583c2f9ff6a536e824f4311c9a8a9842505a0323f027b8b51451
Affected Vendors
Oracle
Affected Products
Oracle WebLogic Server
Remediation
- Patch WebLogic as soon as possible against CVE-2019-2725.
- Block the threat indicators at their respective controls.
- Restrict the access of the account used to run the WebLogic process.
- Restrict egress Data Center communications.
- Control URL access (in this case external access to “/_async/” and “/wls-wsat/“).
- Configure PowerShell to execute only signed scripts.