Hurry up patching those Oracle bugs: Attackers aren't waiting

Honeypots swarmed on within three hours of patch release

Security experts are advising administrators to hurry up installing Oracle patches after finding that attackers are quick to target their vulnerabilities.

The SANS Institute issued a warning after one of its honeypot systems was targeted by exploits of the CVE-2018-2628 remote code execution flaw in WebLogic just hours after the test server was put live.

According to SANS, the flaw has been aggressively targeted since it was first disclosed by Oracle on April 18. The security training company says it took all of three hours after the patch was released for the first compromised servers to be detected.

Flyswat

Oracle whips out the swatter, squishes 254 security bugs in its gear

READ MORE

Since then, SANS says, attacks have become so prevalent that new systems will be hit with exploit attempts almost immediately after coming online. To underscore this, SANS researchers set a vulnerable server live earlier this week and monitored attempts to exploit the flaw.

Within three hours of going live, that honeypot system had been targeted for attack with an attempt to install and execute crypto-mining malware.

"It seems that the time window between vulnerability disclosure and opportunistic exploitation is shrinking more and more," writes researcher Renato Marinho.

"From this episode, we can learn that, those who don’t have time to patch fast, will have to find much more time to recover properly from the coming incidents."

With the vulnerabilities being so quickly weaponized, researchers are advising administrators to be sure they keep an eye out for patches from Oracle and other enterprise software vendors so they can test and deploy updates as soon as possible.

In this case, however, simply patching may not be enough. Marinho notes that for the Oracle bug in question, researchers have shown it may be possible to circumvent the patch and exploit the vulnerablity even on updated servers.

As such, Marinho advises companies to restrict access to the TCP/7001 port on WebLogic servers as much as possible in the short term. ®




Biting the hand that feeds IT © 1998–2018