A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities
We have recently observed malicious actors exploiting both recently disclosed and older Oracle WebLogic Server vulnerabilities to deliver cryptocurrency-mining malware. Oracle WebLogic Server is typically used for developing and deploying high-traffic enterprise applications on cloud environments and engineered and conventional systems. One of the older vulnerabilities that is still being actively exploited by malicious actors is CVE-2020-14882, a remote code execution (RCE) vulnerability that takes advantage of improper input validation in Oracle WebLogic Server. This vulnerability affects versions 10.3.6.0.0, 220.127.116.11.0, 18.104.22.168.0, 22.214.171.124.0, and 126.96.36.199.0, and can be exploited by a remote unauthenticated attacker via sending a crafted HTTP request to the victim server resulting in RCE. It also has a CVSS v3.0 score of 9.8. Though we have observed that many malicious actors are using this vulnerability to deploy different malware families, this blog will focus on Kinsing malware activity. Based on our analysis, most of the exploits did not show special characteristics or features. However, we have observed that the downloaded shell and Python scripts went through a lengthy list of actions, including disabling basic operating system (OS) security features such as Security-Enhanced Linux (SELinux), watchdog timers, and iptables, and disabling cloud service provider’s agents.