Cyber Alert: Increase in SLTT Government Owned WebLogic Server Compromises
Date Issued: January 12, 2018
The MS-ISAC has observed an increase in exploitation of CVE-2017-10271 against state, local, tribal, and territorial (SLTT) government Oracle WebLogic servers, which results in complete compromise of the server by the cyber threat actor. Currently, the MS-ISAC is identifying exploitation for the purposes of monetization through Monero miners and is aware of open source reporting indicating the use of other cryptocurrency miners. However, the nature of the exploit does not prohibit other uses and it is important to note that PeopleSoft software is often run on WebLogic servers.
Depending on privileges assigned to the WebLogic web server, cyber threat actors could use the initial compromise to gain a foothold in an organization’s PeopleSoft server environment. PeopleSoft is a software suite widely used to handle a range of tasks from human resources to financial planning. These servers may contain employees’ sensitive personally identifiable information (PII), electronic personal health information (ePHI), and financial information that will be exposed in the event of a compromise.
CVE-2017-10271 bypasses a security feature built into WebLogic servers, which was patched in the October 2017 Oracle Quarterly Update. Systems running WebLogic versions prior to 12.2.1.2.171017, 12.2.1.1.171017, 12.1.3.0.171017, 10.3.6.0.171017 are vulnerable.
Cryptocurrency miners are malware trojans that use a compromised system’s resources in order to generate revenue for an actor. This use causes the computer to run slower, which can lead to stuttering or freezing during intense resource use. It also causes the CPU to run at above average temperatures for extended periods of time, which could shorten the life of the CPU.
Indicators of Compromise (IOC):
- Files: watch-smartd, xlog-daemon, carbon, default, rcp_bh, watch-smartd1, infoed, xfsallocd, content, and localfile~
- MD5: faca70429c736dbf0caf2c644622078f
- SHA-1: f79a2ba735a988fa6f65988e1f3d39684727bdc4
Recommendations:
- Apply patch 12.2.1.3 provided by Oracle to vulnerable systems immediately after appropriate testing.
- If you believe that cryptocurrency mining may be occurring on your network, check for abnormally high resource use, and suspicious files and log entries. The SANS ISC feed contains IP addresses of known miner pools for correlation efforts.
References:
- https://www.oracle.com/security-alerts/
- https://www.virustotal.com/#/file/bbc6f1e5f02b55fab111202b7ea2b3ef7b53209f6ce53f27d7f16c08f52ef9ac/details
- http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html
- http://www.oracle.com/us/products/applications/peoplesoft-enterprise/overview/index.html
- https://isc.sans.edu/forums/diary/A+Story+About+PeopleSoft+How+to+Make+250k+Without+Leaving+Home/23209/