Cisco Talos security researchers have made a recent discovery that a zero-day vulnerability in Oracle Weblogic Servers is making them susceptible to ransomware attacks. Hackers are reported to be using the vulnerability to install a new strain of ransomware called Sodinokibi along with some versions of GandCrab ransomware.
What’s astonishing in the recent discovery is that web servers of Oracle often sit between frontend and backend applications leaving limited or no scope for interceptions. These servers do a job rerouting web traffic from backend apps to the front end apps- acting as middleware tools.
Researchers from the Cybersecurity firm Cisco Talos say that the campaign is similar to the one which targeted Magento or Drupal websites last year.
“It is like installing ransomware on web servers”, said Jason Schultz, the Technical Leader at Cisco Talos.
He added that in such incidents the scope of attack impact is severely limited as the servers can have backups, logs and even packet captures of abnormal activity which can be later analyzed by security teams.
Schultz says that his team of security analysts has discovered that attackers are seen exploiting CVE-2019-2725, a zero-day flaw in Weblogic’s WLS9_ASYNC and WLS-WSAT components.
Therefore, all Oracle Weblogic Server owners are requested to keep their OSes well updated with the latest patches.
Note- Cisco Talos feels that Sodinokibi ransomware was developed by hackers on a recent note. And since the impact scale of the developed ransomware is unknown, they chose to distribute GandCrab Ransomware in order to raise the threat severity.