TrendMicro have recently observed malicious actors exploiting both recently disclosed and older Oracle WebLogic Server vulnerabilities to deliver cryptocurrency-mining malware. Oracle WebLogic Server is typically used for developing and deploying high-traffic enterprise applications on cloud environments and engineered and conventional systems.
One of the older vulnerabilities that is still being actively exploited by malicious actors is CVE-2020-14882, a remote code execution (RCE) vulnerability that takes advantage of improper input validation in Oracle WebLogic Server. This vulnerability affects versions 10.3.6.0.0, 184.108.40.206.0, 220.127.116.11.0, 18.104.22.168.0, and 22.214.171.124.0, and can be exploited by a remote unauthenticated attacker via sending a crafted HTTP request to the victim server resulting in RCE. It also has a CVSS v3.0 score of 9.8.
Though TrendMicro have observed that many malicious actors are using this vulnerability to deploy different malware families, this blog will focus on Kinsing malware activity. Based on their analysis, most of the exploits did not show special characteristics or features. However, they have observed that the downloaded shell and Python scripts went through a lengthy list of actions, including disabling basic operating system (OS) security features such as Security-Enhanced Linux (SELinux), watchdog timers, and iptables, and disabling cloud service provider’s agents.
This blog entry will detail how Trend Micro Cloud One™ – Workload Security and Trend Micro Vision One™ effectively detected and blocked the abuse of the CVE-2020-14882 WebLogic vulnerability in affected endpoints.