FireEye researchers recently observed threat actors abusing
CVE-2017-10271 to deliver various cryptocurrency miners.
CVE-2017-10271 is a known input validation vulnerability that exists
in the WebLogic Server Security Service (WLS Security) in Oracle
WebLogic Server versions 184.108.40.206.0 and prior, and attackers can
exploit it to remotely execute arbitrary code. Oracle released a Critical
Patch Update that reportedly fixes this vulnerability. Users who
failed to patch their systems may find themselves mining
cryptocurrency for threat actors.
FireEye observed a high volume of activity associated with the
exploitation of CVE-2017-10271 following the public posting of proof
of concept code in December 2017. Attackers then leveraged this
vulnerability to download cryptocurrency miners in victim environments.
We saw evidence of organizations located in various countries –
including the United States, Australia, Hong Kong, United Kingdom,
India, Malaysia, and Spain, as well as those from
nearly every industry vertical – being impacted by this activity.
Actors involved in cryptocurrency mining operations mainly exploit
opportunistic targets rather than specific organizations. This coupled
with the diversity of organizations potentially affected by this
activity suggests that the external targeting calculus of...