Malicious actors are actively targeting Oracle WebLogic servers that have yet to be patched against the CVE-2020-14882 vulnerability, which allows attackers to take over the system.
The flaw has been assigned a CVSS score of 9.8, it affects Oracle WebLogic versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Oracle addressed this vulnerability as part of Critical Patch Update released last month. This week Oracle issued an out-of-band update designed to fix yet one more WebLogic vulnerability (CVE-2020-14750) related to CVE-2020-14882, which also allows for unauthenticated attackers to take over unpatched instances.
Since last week, researchers at SANS Institute observed a large number of scans against their WebLogic honeypots to detect if they are vulnerable to CVE-2020-14882, with a small number of attempts aiming to deploy cryptocurrency miners.
Furthermore, over the weekend the researchers detected a campaign, which was using a chain of Powershell obfuscated scripts to download Cobalt Strike, a legitimate penetration testing tool, which is often used by cybercriminals in post-exploitation tasks and to deploy so-called beacons allowing them persistent remote access. In fact, according to the Cisco Talos Q4 2020 CTIR report, more than 60% of all ransomware attacks this quarter involved the use of Cobalt Strike.
“Thus, as expected, there is a high probability ransomware gang included CVE-2020-14882 exploit in their arsenal,” the researchers note.
Due to the severity of the vulnerability Oracle urges organizations to apply the updates as soon as possible. According to the Spyse engine search results for Oracle WebLogic servers, there are more than 3,000 Oracle WebLogic servers potentially vulnerable to CVE-2020-14882.