Multiple hackers are exploiting a web server vulnerability that was patched by Oracle late last year to secretly mine thousands of dollars worth of cryptocurrency, security researchers have found.
According to a report published by the SANS Technology Institute, Morphus Labs researcher Renato Marinho said the easily exploitable Oracle WebLogic vulnerability, dubbed CVE-2017-10271, was fixed in October last year but continues to be exploited on systems which have not installed the patch.
This software bug could allow hackers to remotely run arbitrary commands with WebLogic server user privileges.
"The exploit is pretty simple to execute and comes with a Bash script to make it easy to scan for potential victims," Marinho explained.
Hackers have been found using this flaw to install cryptominers on vulnerable, unpatched devices and hijacking their processing power to mine Monero coins. WebLogic and PeopleSoft servers that have still not installed the patch are being targeted in this attack.
The attacks are thought to have begun after Chinese security researcher Lian Zhang published a proof-of-concept exploit in December, Johannes B Ullrich, dean of research at the SANS Technology Institute, said in a follow-up post.
"Lian's post may not be the first, but this looks like the exploit that was used in the attack discussed here, and the post appears to have started an increased interest in this flaw," Ullrich explained. "Lian's blog is talking about CVE-2017-3506, but the exploit matches CVE-2017-10271. Oracle's April CPU patched CVE-2017-3506, but it didn't do so completely, leaving an opening that led to CVE-2017-10271."
In this attack, a simple bash script is used to find a working directory, kill any existing cryptominers on the targeted system and set up a CRON job to download and launch the new miner.
The miner in this case is "xmrig" or "fs-manager", which is a legitimate cryptominer for Monero.
Researchers said the xmrig mining software was found on 722 vulnerable WebLogic and PeopleSoft systems. They also noted the attacks were launched from different locations across the globe, with many of the affected servers hosted by major cloud service providers such as Amazon Web Services, Digital Ocean, Google Cloud, Microsoft Azure, Oracle Cloud and OVH.
"This isn't a surprise since many organisations are moving their most critical data to the cloud to make it easier for the bad guys to get to it," Ullrich said. "The victims are distributed worldwide. This isn't a targeted attack. Once the exploit was published, anybody with limited scripting skills was able to participate in taking down WebLogic/PeopleSoft servers."
One attacker has already managed to mine 611 Monero coins ($242,762, £179,411 at current rates) so far, researchers said. Another attacker exploited the vulnerability to mine AEON, a less popular cryptocurrency, rather than Monero or Bitcoin.
"Even though they are achieving a similar hash rate, they only earned about $6,000 so far. Maybe they will switch to Monero after reading this," Ullrich added.
He also warned that victims should not simply attempt to fix the issue by removing the mining software and patching their server.
"Your server was vulnerable to an easily executed remote code execution exploit," he said. "It is very likely that more sophisticated attackers used this to gain a persistent foothold on the system. In this case, the only 'persistence' we noticed was the CRON job. But there are many more – and more difficult to detect – ways to gain persistence."