The CVE-2020-14882 vulnerability affecting Oracle
WebLogic is known and has had a solution for some time, and even
knowing the problem and there is a patch that fixes the vulnerability continues
being a vulnerability massively exploited in recent days,
information that has been revealed by Juniper Networks. The vulnerability affects
The versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
According to Juniper researchers, the DarkIRC botnet carries
for some time pointing to Oracle WebLogic servers with this
Vulnerability still unpatched, exposed to any type of attack that
Exploit this critical vulnerability (remember that this vulnerability has
one 9.8 of 10 in its criticality assessment), when exploited, it allows execution
of arbitrary code. This is not the first cyberattack campaign based on
this CVE, last month there was already a massive attack on Oracle WebLogic servers exploding
this CVE.
In last month's massive attack, it was used by
attackers Cobalt Stirke, for once access to Oracle server is obtained
WebLogic, exfiltrate data and be able to deploy new payloads to use
these compromised systems for other purposes, The most common is to use the
Compromised computer in a botnet being managed by a command server
and control.
In this case, DarkIRC takes advantage of the vulnerability with
a PowerShell script executed through an HTTP GET request that
contains malware with anti-analysis and anti-sandbox capabilities. Once it is
inside, DarkIRC has the ability to log keys, run commands in the
server, credential theft and spread through MSSQL and RDP (strength
Gross) among others.
According to a search with Shodan, some 2.973 servidores de
Oracle WebLogic exposed to the internet are potentially vulnerable to attacks
that take advantage of exploiting the above vulnerability.