Active Exploitation of OS Command Injection Flaw in Oracle WebLogic Server

Cyber Attack

On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw in the Oracle WebLogic Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

Identified as CVE-2017-3506 with a CVSS score of 7.4, this vulnerability involves an operating system (OS) command injection flaw. Exploiting this flaw could allow unauthorized access to vulnerable servers and potentially lead to complete control over them.

"Oracle WebLogic Server, part of the Fusion Middleware suite, has an OS command injection vulnerability. This vulnerability enables attackers to execute arbitrary code via a specially crafted HTTP request containing a malicious XML document," stated CISA.

Although the agency did not detail the nature of the attacks exploiting the flaw, the China-based cryptojacking group 8220 Gang (also known as Water Sigbin) has been known to exploit this vulnerability since early last year to incorporate unpatched devices into a crypto-mining botnet.

A recent report by Trend Micro reveals that the 8220 Gang has weaponized vulnerabilities in the Oracle WebLogic Server (CVE-2017-3506 and CVE-2023-21839) to filelessly deploy a cryptocurrency miner in memory using shell or PowerShell scripts, depending on the target operating system. "The gang used obfuscation techniques like hexadecimal encoding of URLs and HTTP over port 443 for stealthy payload delivery," noted security researcher Sunil Bharti. "The PowerShell script and subsequent batch file involved complex encoding, utilizing environment variables to conceal malicious code within seemingly benign script components."

Given the active exploitation of CVE-2017-3506, federal agencies are urged to apply the latest patches by June 24, 2024, to safeguard their networks against potential threats.