New Linux Malware Exploiting Oracle Weblogic Servers

New Linux Malware Exploiting Oracle Weblogic Servers

Oracle WebLogic Server is an application server that is primarily designed to develop, deploy, and manage enterprise applications based on Java EE and Jakarta EE standards.

It serves as a critical component of Oracle’s Fusion Middleware, which provides a reliable and scalable environment.

Aqua Nautilus researchers recently discovered that a new Linux malware dubbed “Hadooken” is actively exploiting Oracle Weblogic servers.

Linux Malware Exploiting Weblogic Servers

The Hadooken malware targets Oracle WebLogic servers by exploiting the weak admin credentials for initial access. 

It deploys two key components, and here below, we have mentioned all of them:- 

A cryptominer (MD5: 9bea7389b633c331e706995ed4b3999c)

Tsunami malware (MD5: 8eef5aa6fa9859c71b55c1039f02d2e6)

The attack utilizes shell (‘c’) and Python (‘y’) scripts to download and execute payloads by preferring non-persistent directories like /tmp. 

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

The cryptominer is dropped as ‘/usr/bin/crondr’, ‘/usr/bin/bprofr’, and ‘/mnt/-java’, while Tsunami uses a random filename in /tmp. 

Persistence is maintained through cron jobs created in /etc/cron.<Period>/<Random String> with varying frequencies. 

Attack flow (Source – Aquasec)

For lateral movement, it searches for SSH data in various directories. The malware employs evasion techniques, including base64 encoding, log clearance, and process masquerading. 

Associated IP addresses 89.185.85.102 and 185.174.136.204 link to potential ransomware distribution (Mallox MD5: 4a12098c3799ce17d6d59df86ed1a5b6, RHOMBUS, NoEscape). 

A related PowerShell script ‘b.ps1’ (MD5: c1897ea9457343bd8e73f98a1d85a38f) distributes Mallox ransomware, indicating a multi-platform attack strategy. 

Besides this, Shodan reveals over 230K internet-connected WebLogic servers with several hundred exposed admin consoles vulnerable to exploitation. 

Here below we have presented the MITRE ATT&CK framework:-

MITRE ATT&CK framework (Source – Aquasec)

Mitigation

Here below we have mentioned all the mitigations:-

Always use IaC scanning tools to detect misconfigurations before deployment.

Make sure to use CSPM tools to scan cloud configurations for risks.

Scan Kubernetes clusters for misconfigurations.

Secure container images and Docker files.

Monitor runtime environments.

IOCs

IOCs (Source – Aquasec)

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

The post New Linux Malware Exploiting Oracle Weblogic Servers appeared first on Cyber Security News.

 Read More 

 

Ivanti Warns of Active Exploitation of Newly Patched Cloud Appliance Vulnerability

Ivanti Warns of Active Exploitation of Newly Patched Cloud Appliance Vulnerability

Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild.
The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances.
“An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows Read More 

 

Kawasaki Europe Confirms Cyber Attack, RansomHub Claims Responsibility

Kawasaki Europe Confirms Cyber Attack, RansomHub Claims Responsibility

Kawasaki Motors Europe (KME) has officially confirmed it was the target of a cyberattack in early September, causing temporary disruptions to its operations. The company stated that while the attack was “not successful,” it resulted in the isolation of its servers as a precautionary measure.

In a statement released on September 12, KME explained that its IT department, along with external cybersecurity experts, spent the following week meticulously checking and cleansing all servers before reconnecting them to the corporate network. By the start of this week, over 90% of KME’s server functionality had been restored.

However, the situation took a more serious turn when the notorious ransomware gang RansomHub claimed responsibility for the attack.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

The threat group added Kawasaki to its dark web extortion portal on September 5, alleging the theft of 487 GB of data from the company’s networks.

dark web extortion portal claim

RansomHub has set a countdown timer, threatening to publish all stolen data if their demands are not met by the deadline. The nature of the compromised data remains unclear, but the possibility of customer information being involved cannot be ruled out at this stage.

Kawasaki has emphasized that business operations, including dealerships, third-party suppliers, and logistics operations, have not been impacted by the incident.

The company has implemented enhanced monitoring operations and tightened access restrictions to prevent unauthorized access in the future.

This attack on Kawasaki comes amid a surge in RansomHub’s activities. The group has emerged as a prominent player in the cybercrime landscape, particularly following the shutdown of other major ransomware operations like BlackCat/ALPHV.

According to a joint advisory from the FBI, CISA, and the Department of Health and Human Services, RansomHub has breached at least 210 victims across various critical U.S. infrastructure sectors since its launch in February.

As the investigation continues, Kawasaki has not yet responded to requests for additional comments regarding the RansomHub claims.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

The post Kawasaki Europe Confirms Cyber Attack, RansomHub Claims Responsibility appeared first on Cyber Security News.

 Read More 

 

Port of Seattle Confirms August Cyberattack by Rhysida Ransomware

Port of Seattle Confirms August Cyberattack by Rhysida Ransomware

The Port of Seattle has confirmed that the Rhysida ransomware gang orchestrated the cyberattack that disrupted its systems and operations in late August. The attack on August 24, 2024, forced the Port to isolate critical systems, resulting in widespread outages impacting Seattle-Tacoma International Airport and the Port’s maritime facilities.

According to the Port’s statement, the Rhysida attackers gained unauthorized access to certain parts of their computer systems and encrypted some data.

This led to disruptions in various airport services, including baggage handling, check-in kiosks, ticketing, Wi-Fi, passenger display boards, and the Port’s website and mobile app.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Despite the severity of the attack, the Port has refused to pay the ransom demanded by the Rhysida gang.

“Paying the criminal organization would not reflect Port values or our pledge to be a good steward of taxpayer dollars,” said Steve Metruck, Executive Director of the Port of Seattle. As a result, the Port warns that the attackers may publish stolen data on their dark website.

On Aug. 24, the Port of Seattle identified system outages consistent with a cyberattack. It was a fast-moving situation, and Port staff worked to quickly isolate critical systems. pic.twitter.com/MruG4jXXUc

— Seattle-Tacoma Intl. Airport (@flySEA) September 13, 2024

The Port’s investigation into the incident is ongoing, but it appears that the attackers exfiltrated some data in mid-to-late August. If any employee or passenger’s personal information is found to have been compromised, the Port has committed to notifying affected individuals.

Since the attack, the Port has been working to restore affected systems and enhance its cybersecurity measures. While most services were brought back online within a week, work is still underway to fully restore the Port’s website and internal portals.

The Port remains on heightened alert and is continuously monitoring its systems for any further unauthorized activity.

Rhysida is a relatively new but highly active ransomware operation that has targeted various sectors, including healthcare, government, and now transportation.

The gang has been linked to several high-profile attacks in recent months, including the breaches of the British Library and the Chilean Army.

As the investigation continues, the Port remains committed to transparency, strengthening its defenses, and sharing information to help protect other organizations from similar attacks.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

The post Port of Seattle Confirms August Cyberattack by Rhysida Ransomware appeared first on Cyber Security News.

 Read More