Attackers actively exploiting Atlassian Confluence and Oracle WebLogic flaws

Attackers are actively exploiting recently fixed vulnerabilities in Oracle WebLogic and the Widget Connector macro in Atlassian Confluence to deliver ransomware, mine cryptocurrency and make the compromised machines participate in DDoS attacks.

The Oracle WebLogic attacks

CVE-2019-2725 is a deserialization remote command execution vulnerability that affects all Oracle WebLogic versions that have two specific components enabled.

It was publicly revealed on April 21 and Oracle published an out-of-band security fix for it on April 25.

Oracle WebLogic servers are often targeted by attackers who want to use their resources for covert cryptomining.

It happened with CVE-2019-2725, too. On April 28, Palo Alto Networks’ Unit 42 flagged a new variant of the Linux botnet Muhstik that exploits the vulnerability and compromises Linux servers and IoT devices for cryptomining and DDoS attacks.

But the flaw is also being exploited to install ransomware, first Sodinokibi and then GandCrab.

“Initial stages of the ransomware attack occurred on April 25, the day before Oracle released their update,” Cisco Talos researchers noted.

The attackers leveraged the vulnerability to make the vulnerable servers download the ransomware from two IP addresses under their control, and were apparently successful at encrypting a number of systems.

But, not satisfied with that, they followed up with an additional CVE-2019-2725 exploit attempt mere hours later to deliver the GandCrab ransomware. The why of this double-whammy is unknown.

“This attack is notable because of the attackers’ use of a zero-day exploit to distribute ransomware. Whereas previously we have witnessed ransomware attackers taking advantage of unpatched systems to install and laterally propagate ransomware, this zero-day exploitation method could work on otherwise fully-patched systems,” the researchers added.

The Atlassian Confluence attacks

CVE-2019-3396 is a server-side template injection vulnerability in the Atlassian Confluence Server and Data Center Widget Connector that could be used for remote code execution.

Its existence was publicly revealed by Atlassian on March 20, simultaneously with the release of new versions of this popular team collaboration platform which plug this and another critical server-side request forgery vulnerability.

Attackers have also been trying to drop GandCrab (from one of the aforementioned IP addresses) onto vulnerable Atlassian Confluence instances.

“Proof of concept code for [CVE-2019-3396] was made available in the public domain on April 10 and by the next day we were observing the first weaponized attack attempts using this new vector,” Alert Logic researchers shared.

This was three weeks after the fixes were released but, obviously, not everyone got around to patching their installations.

“This re-emergence of ransomware as the outcome of an unauthenticated remote code execution vulnerability may be an opportunist use of ransomware instead of cryptominers due to the nature of the vulnerability being used. Given that CVE-2019-3396 targets Confluence (which is a wiki platform) then the application in question will potentially hold valuable company information and may not be sufficiently backed up. The attackers may be making a judgement call that the likelihood of pay-out is a sufficiently higher return than could be expected mining cryptocurrency on the host,” the researchers noted.

Finally, Trend Micro researchers detected attacks exploiting CVE-2019-3396 to deliver an AESDDoS botnet malware variant to vulnerable setups.

What to do?

Users might not have been able to protect their WebLogic installations as, when exploited, the vulnerability was a zero-day and no patch was available. Confluence users, on the other hand, had more than enough time to implement the provided patches.

But all the fixes are available now and they are advised to take advantage of them.

Still, as Johannes Ullrich, dean of research at the SANS Technology Institute, noted, WebLogic’s design makes it particularly prone to deserializing vulnerabilities.

“Do not expose WebLogic to the Internet if you can help it. I doubt that this was the last such vulnerability,” he added.

SANS ISC handler Rob VandenBrink is of the same opinion. “The root cause here seems to be that the affected WAR components ingest and process all serialized data, and have a blacklist of ‘bad’ content. What this means to me is that we’re likely to see a number of similar vulnerabilities/attacks crop up over the next while, until Oracle changes this approach.”