A couple of weeks back, a zero-day vulnerability was discovered in Oracle WebLogic Servers that can trigger the deserialization of malicious code and allow hackers to take over the targeted system.
Now, a recent report suggests that this zero-day vulnerability has been abused for over a week to infect Oracle WebLogic servers through ransomware. So far, two strands of ransomware have been identified by security researchers from Cisco Talos.
Attackers are trying to infect systems through a new strain of ransomware called ‘Sodinokibi’ that tries to encrypt data in a user’s directory. It makes the recovery more difficult by deleting trustworthy backups.
Usually, ransomware requires some form of user interaction such as opening an email attachment, clicking on a malicious link, or running a piece of malicious code on the device — to infect the system.
However, in this case, Sodinokibi doesn’t require any form of interaction as the attackers simply leverage the Oracle WebLogic vulnerability to force the affected server to download a copy of the ransomware.
Find your dream job
Once the Sodinokibi ransomware is installed, the attackers display a ransom note on the victim’s device. They demand around $2,500 in Bitcoin in exchange for receiving decryption keys, giving a deadline of two days to submit it.
If the victim misses the deadline, the attackers launch a second strain of ransomware, ‘GandCrab,’ and the ransom doubles to $5,000.
The reason behind using two different strains of malware on the same victim is unclear as of now. According to the researchers, “perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab.”
Another possibility is that the attackers knew that Oracle WebLogic zero-day flaw would be patched soon, so they tried to maximize their profit by ensuring they tried everything in the limited amount of time they had.
In any case, server owners should take out time to implement Oracle’s recent patch to prevent other types of attacks which could arrive anytime.