This blog is a continuation of our Source Zero blog series, which outlines the Optiv Global Threat Intelligence Center’s (gTIC) Prioritized Software and Services List. The List provides a high-level introduction on frequently exploited software, services, and protocols and associated MITRE ATT&CK Tactic mappings. The intent of researching, identifying, and prioritizing potentially high-risk (based off attractiveness for, and frequency of, targeting by adversaries) products is to supplement and support enterprise risk management, incident response preparedness, intelligence collection, and threat research. These subsequent follow-up reports will go into more details regarding adversaries, vulnerabilities, techniques, and real-world incidents (where applicable) pertaining to many of the software and services outlined in the original report.

Part Three covers exploitation trends and vulnerabilities in Oracle WebLogic to support the gTIC’s inclusion of WebLogic server and any affiliated products on our Prioritized Software and Services List.

Oracle WebLogic and MITRE Technique Mapping

Optiv’s gTIC has identified and categorized Oracle WebLogic web servers as Critical Enterprise Software. As described in our initial Prioritized Software and Services List blog, products and software that fall under the category of Critical Enterprise Software are considered essential to business processes and continuity. These products enable internal and external system communications; web and application servers; and file and data hosting, management, storage, and sharing. Adversaries target these types of software and products for various actions, including accessing and exfiltrating data, gaining Initial Access with malware or phishing, scanning and exploitation of insecure web-facing instances, installing backdoors and web shells for Persistence, enumerating user credentials and privileges, and mapping out other parts of the network.

Oracle WebLogic is among the most widely used web and web application servers present in enterprise environments. The elevated risk profile of organizations running these products are based off the ubiquity of WebLogic, as well as the severity and notoriety of known vulnerabilities and real-world compromises. While multiple Oracle products have a strong presence in corporate environments globally, some are more frequently reported on. Independent of reporting frequency, if your organization owns or uses WebLogic or other popular Oracle products, prioritize accordingly.

Reports and observations show that adversaries leverage Oracle WebLogic to navigate across at least eight (8) Tactics mapped to the MITRE ATT&CK framework. Specific MITRE ATT&CK Techniques for each of the observed Tactics include the following:

TA0042 - Resource Development
T1584 - Compromise Infrastructure: Initial access brokers build out portfolios of Initial Access into networks, including leveraging Oracle WebLogic, to sell off to other cybercriminals, including ransomware operators and affiliates. Botnet herders exploit public-facing applications and devices like those running Oracle WebLogic to expand zombie networks.

TA0001 - Initial Access
T1190 – Exploit Public-Facing Application: Remote code execution (RCE) vulnerabilities in Oracle WebLogic have been exploited by cybercriminals to gain Initial Access as part of their initial access brokerage operations. Multiple botnets reported to scan for vulnerable instances of WebLogic for Initial Access to deploy cryptocurrency miners or additional credential stealing tools and malware. Rocke malware group known to exploit CVE-2017-10271 for Initial Access. Optiv incident response engagements also identified CVE-2017-10271 for Initial Access to implant a cryptocurrency coinminer.

TA0003 – Persistence
T1505 – Server Software Component: Webshells and cryptocurrency mining software like Bulehero and Sysrv Botnet are known to be installed onto WebLogic servers. Remote code execution (RCE) vulnerabilities in WebLogic were exploited by cybercriminals for Initial Access, after which JSP webshells were uploaded to maintain access and Persistence.

TA0009 – Collection
T1005 – Data from Local System: Botnet malware have exploited Oracle WebLogic vulnerabilities to extract keystrokes and credentials stored on systems.

TA0010 - Exfiltration
T1041 – Exfiltration Over C2 Channel: DarkIRC botnet has exploited WebLogic RCE vulnerabilities to download files from compromised servers and networks.

TA0011 - Command and Control
T1071 – Application Layer Protocol: Botnet malware/payloads are installed onto Oracle WebLogic servers to launch secondary distributed denial-of-service (DDoS) attacks.

TA0040 - Impact
T1486 – Data Encrypted for Impact: Sodinokibi (aka: REvil) ransomware operators have exploited WebLogic to deploy the encrypting malware from attacker-controlled assets (i.e., IP address, domain).

T1565 – Data Manipulation: DarkIRC botnet operators have been observed to alter cryptocurrency wallets and addresses copied to clipboard with attacker-controlled wallets and addresses to reroute payments and funds.

The following chart shows Oracle WebLogic mapped to various MITRE Tactics. The chart captures associated threats, including malware, adversaries, and popular vulnerabilities that are assessed to pose a high risk to organizations or that are known to be exploited by cyber adversaries over the last 24 months.

Image

Figure 1: Oracle WebLogic Mapping to MITRE ATT&CK Tactics
^© 2023. Optiv Security Inc. All Rights Reserved.

Vulnerabilities and Threats

Cyber adversaries are known to interrogate vulnerabilities in Oracle WebLogic products to accomplish numerous objectives. These include delivering various types of payloads and implants like cryptocurrency miners, webshells, and ransomware, as well establishing a foothold for botnets. Research and observed incidents of compromises involving WebLogic exploits also validate Optiv gTIC’s long-standing assessment that threat actors will continue exploiting old vulnerabilities (two years and older) in popular software and services due to the continued success in leveraging these proven exploits.

Oracle WebLogic is a popular attack vector notably for cryptocurrency coinminers, botnets, and initial access brokers. Aside from 0-day exploits, critical vulnerabilities in Oracle WebLogic have been observed to be scanned for and exploited by adversaries within 48 hours of disclosure, making it a highly time-sensitive asset to prioritize for an enterprise’s asset inventory and defense-in-depth program. Threat actors and groups known to have exploited Oracle WebLogic as part of their campaigns include the Bulehero botnet, Sysrv botnet, Muhstik botnet, Sodinokibi ransomware cartel, cyber-criminal initial access brokers such as Prophet Spider, and activity attributed to the 8220 group. This is Likely due to Oracle WebLogic’s internet-facing position and placement in enterprise environments, which makes it a key target for Initial Access and computing power and access due to serving as a web application and website server.

Deserialization vulnerabilities in Oracle WebLogic are one of the most critical types of vulnerabilities, which allow the attackers to execute code and upload arbitrary files. This was highlighted starting in 2019 with the debut of the Sodinokibi (aka: REvil) ransomware, which is widely accepted as emerging from the original Gandcrab ransomware cartel. Sodinokibi operators launched a well-known campaign in early 2019 with the exploitation of CVE-2019-2725 within 48 hours of Oracle’s disclosure and patch release. The exploitation of this insecure deserialization vulnerability resulted in the spread of the ransomware payload (PortSwigger provides an excellent explanation of deserialization and its potential risks if done insecurely). The Muhstik botnet also jumped on CVE-2019-2725 within one week of disclosure to gain a foothold onto vulnerable instances and launch distributed denial of service (DDoS) attacks.

In addition to CVE-2019-2725, another highly prolific and critical vulnerability that is popular with multiple threat actors is CVE-2020-14882, an RCE vulnerability disclosed and patched in October 2020. Throughout 2020, a number of threat actors exploited this vulnerability, including ransomware outfits, botnets, and cryptocurrency coinmining operations. As of 2022, it was observed and reported that cyber threat actors were still interrogating this vulnerability.

Deployment of coinminers is a popular action following a WebLogic compromise. In 2018, Optiv’s incident response team observed the delivery of cryptocurrency coinminers (including the XMRig Monero coinminer) in multiple engagements following the exploitation of Oracle WebLogic against customers in the Consumer Cyclicals, Energy, and Academic and Educational Services vertical. Based on log data, this vulnerability was assessed to Likely be CVE-2017-10271 in many of these instances. In 2022, Optiv responded to another incident for a customer in the Telecommunications Services industry, in which exploitation of Oracle WebLogic led to the threat actors installing a malicious bash script. There were subsequent attempts deliver additional payloads, including SSH brute-forcing tools and coinminers. In addition to the previously mentioned CVE-2019-2725, botnets including DarkIRC were observed to leverage other WebLogic vulnerabilities to deliver coinminers, including CVE-2020-14750 and CVE-2020-14882.

While not the focus of this blog post, Optiv’s gTIC also recognizes other Oracle products that are Likely to be exploited by threat actors aside from WebLogic, including Fusion and Java Runtime. A recent joint report suggests that even in 2022, old vulnerabilities in these Oracle products going back to 2012 were among a short list of vulnerabilities that allowed threat actors to achieve multiple Tactics (as mapped to the MITRE ATT&CK framework) as part of the full attack cycle, similar to what Optiv gTIC’s research confirms regarding Oracle WebLogic in this post.

The graphics below illustrate Optiv gTIC’s Threat Actor Metric™ calculated for selected cyber threat actors known to leverage Oracle WebLogic as part of their attacks (See Appendix: References for an explanation of the Threat Actor Metric^™).

Image

Figure 2: Threat Actor Metric Score for REvil Ransomware
^© 2023. Optiv Security Inc. All Rights Reserved.

Image

Figure 3: Threat Actor Metric for Prophet Spider
^© 2023. Optiv Security Inc. All Rights Reserved.

Appendix

References

¹MITRE ATT&CK^® is a globally accessible knowledge base of adversary Tactics and Techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. More information about MITRE ATT&CK^® can be found at attack.mitre.org. All information about MITRE ATT&CK belongs to The MITRE Corporation subject to the following copyright: ^©2021 The MITRE Corporation. MITRE ATT&CK^® is licensed under the Terms of Use located at https://attack.mitre.org/resources/terms-of-use/".

Optiv Threat Actor Metric^™ – The Optiv Threat Actor Metric^™ was developed by Optiv’s gTIC and is a multi-faceted, qualitative approach to determine a cyber adversary’s or campaign’s potential threat to an organization or industry. The metric considers known and assessed non-technical capabilities and intentions and is scored out of a total possible of 100. The purpose of this metric is to provide an added layer of depth to risk-based intelligence analysis and support proactive and remediating recommendations by presenting a visualization of non-technical, qualitative risk factors of adversaries and threat campaigns. It is similar in function as to the United States Department of Defense’s CARVER targeting scale.

Link charts and graphs in this report were created by Optiv gTIC leveraging the ThreatQuotient^® Investigations platform.

In addition to Optiv’s own Enterprise Incident Management team’s incident response engagements and analysis, the following references provided additional information for this blog post:

BrandDefense ‘Initial Access Methods: How Malicious Actors Infiltrate Companies’, 2022, https://brandefense.io/blog/ransomware/initial-access-methods-how-malicious-actors-do-infiltrate-companies/

Cisco Talos, ‘Sodinokibi ransomware exploits WebLogic Server vulnerability’, 2019, https://blog.talosintelligence.com/sodinokibi-ransomware-exploits-weblogic/

Cisco Talos, ‘Rocke: The Champion of Monero Miners’, 2018, https://blog.talosintelligence.com/rocke-champion-of-monero-miners/

Crowdstrike, ‘PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity’, 2021, https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/

Juniper Networks, ‘DarkIRC bot exploits recent Oracle WebLogic vulnerability’, 2020, https://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability

KnownSec404, ‘Oracle WebLogic Deserialization RCE Vulnerability (0day) Alert Again (CVE-2019–2725 patch bypassed!!!)’, 2019, https://medium.com/@knownsec404team/knownsec-404-team-alert-again-cve-2019-2725-patch-bypassed-32a6a7b7ca15

PaloAlto Unit42, ‘Muhstik Botnet Exploits the Latest WebLogic Vulnerability for Cryptomining and DDoS Attacks’, 2019, https://unit42.paloaltonetworks.com/muhstik-botnet-exploits-the-latest-weblogic-vulnerability-for-cryptomining-and-ddos-attacks/

TrendMicro, ‘CVE-2019-2725 Exploited, Used to Deliver Monero Miner’, 2019, https://www.trendmicro.com/en_us/research/19/f/cve-2019-2725-exploited-and-certificate-files-used-for-obfuscation-to-deliver-monero-miner.html

TrendMicro ‘A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities’, 2022, https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html

Analytical Comments, Statements, and Best Practices

Most Likely Course of Action (MLCOA) – The expected and probable tactics, techniques, and actions carried out by a threat actor. COA statements are well established and accepted in estimative and predictive intelligence assessments.

Most Dangerous Course of Action (MDCOA) – Tactics, techniques, or actions carried out or taken by an adversary that result in a worst-case scenario outcome or impact, regardless of probability. COA statements are well established and accepted in estimative and predictive intelligence assessments.

Words of Estimated Probability – Optiv EIM Intelligence employs the use of both probability statements for likelihood of events or actions and confidence levels for analytic assessments and judgements. Probability statements and confidence statements are inherently subjective; however, Optiv EIM Intelligence leverages professional experience and intelligence fundamentals to deliver reasonable and relevant statements and assessments. Probability statements and the degree of likelihood of an assessed event/incident are modeled after the Intelligence Community Directive (ICD) 203: Analytic Standards, published by the United States’ Office of the Director of National Intelligence (ODNI), and are as follows:

Confidence statements, as defined by Optiv EIM Intelligence, apply to reliability and relevance of information reported and are as follows:

Per ICD 203 standards, confidence-level statements are not combined with probability and degree of likelihood terms proposed in the above chart.