Recently Patched Oracle WebLogic Flaw Used in Active Attacks

Less than a week after a critical vulnerability was patched in Oracle’s WebLogic application server, attackers have already started exploiting the flaw to break into enterprise systems.

WebLogic is a component of Oracle Fusion Middleware and underpins many applications that process and store business critical data, making WebLogic an attractive target for hackers. Past attacks have exploited WebLogic vulnerabilities to abuse enterprise servers for cryptocurrency mining.

During its quarterly critical patch update July 18, Oracle fixed a vulnerability in WebLogic tracked as CVE-2018-2893. The flaw has a criticality score of 9.8 out of 10 on the CVSS scale and can be exploited without authentication to achieve for remote code execution.

A day later proof-of-concept exploit code for the vulnerability appeared online and hackers quickly adopted it. Security researchers from the SANS Internet Storm Center and Qihoo’s Netlab reported ongoing attacks.

According to a Netlab analysis, the group behind the attacks is abusing the hacked WebLogic servers in a number of ways. The exploit payloads observed so far include a reverse shell, a cryptocurrency mining program and a tool for launching distributed denial-of-service attacks.

Unfortunately, these attacks are likely to compromise a significant number of servers because companies are slow to deploy patches. In December, hackers started exploiting CVE-2017-10271, a critical WebLogic vulnerability patched by Oracle two months earlier, in October. By January, the attackers had already made more than $200,000 from abusing the compromised WebLogic servers to mine Monero.

The newly patched CVE-2018-2893 vulnerability affects Oracle WebLogic versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Users are advised to deploy Oracle’s patch as soon as possible in light of the ongoing attacks.

Chrome Starts Marking HTTP Websites as ‘Not Secure’

The latest version of Google’s Chrome browser, Chrome 68, released July 24, flags all websites that don’t use SSL/TLS encryption as “Not Secure.”

Among the companies whose websites appear with the new indicator next to their names in the browser’s address bar are large news organizations including the U.K.’s The Daily Mail, the BBC, ESPN, FOX News and major Chinese online services Baidu, QQ and Alibaba. According to a website created by researchers Troy Hunt and Scott Helme, 100, or around 20 percent, of the world’s top 500 websites based on Alexa ranking, don’t use HTTPS (HTTP Secure) by default.

In a blog post, Google referred to the decision to mark non-encrypted websites as “Not Secure” as “a milestone for Chrome security.” To those following technology news, this was expected, but many regular users might have be taken by surprise.

With the sharp rise in HTTPS adoption in recent years, it was clear to many people that there would be a tipping point where HTTPS would become the new normal and HTTP the exception. So, it’s understandable that just as they marked HTTPS websites as “Secure” for years, browsers will soon follow Chrome and start marking HTTP websites as “Not Secure.” Chrome’s developers even plan to drop the “Secure” flag for HTTPS sites in September and to make the “Not Secure” warning more visible by changing its color to red.

“Nearly two years ago, we announced that Chrome would eventually mark all sites that are not encrypted with HTTPS as ‘not secure’,” Emily Schechter, Chrome’s security product manager, said in the blog post. “This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets. Starting today, we’re rolling out these changes to all Chrome users.”

According to Google’s statistics, 76 percent of users’ web traffic in Chrome for Android goes to HTTPS websites and 83 of the world’s top 100 websites now use encrypted connections by default. In the company’s ChromeOS, the ratio of user traffic protected by HTTPS is even higher85 percent.

If your corporate website doesn’t yet use HTTPS, you should consider implementing it as soon as possible, as there are very few reasons not to encrypt web connections today. Worse, by not doing it, your site’s search ranking and now its reputation will suffer. Of course, keep in mind that enabling HTTPS only prevents man-in-the-middle traffic sniffing and does not protect your site or its users from other types of web-based attacks.

“Many of the most popular websites are still prone to SQL injections and XXE attacks, let alone omnipresent XSS and CSRF vulnerabilities,” said Ilia Kolochenko, CEO of security firm High-Tech Bridge, via email. “These security vulnerabilities bear a much higher degree of risk and may allow breaching the entire website and all the records, PII or financial data the website handles or stored.”

Featured eBook
One Year Later - Lessons Learnt From The Equifax Breach

One Year Later – Lessons Learnt From The Equifax Breach

Exactly one year ago the Equifax breach was announced. This breach is considered to be the biggest breach in history with hackers having stolen the personally identifiable information (PII) of nearly 147.9 million of the company’s customers,primarily located in the United States. Given the magnitude of the Equifax breach, the objective of this white paper ... Read More
WhiteSource

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 200 posts and counting.See all posts by lucian-constantin