silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,165
A critical Oracle WebLogic Server vulnerability patched last week has been exploited by malicious actors to deliver a new piece of ransomware to organizations.
The ransomware, named Sodinokibi, is designed to encrypt files and delete backups in an effort to prevent victims from recovering their files without paying a ransom. It has been analyzed by independent researchers, South Korean cybersecurity firm EST Security, Cisco’s Talos research and intelligence group, and others.
Talos researchers were the ones who spotted Sodinokibi being delivered via the recently fixed WebLogic Server flaw. Deploying ransomware via a vulnerability in WebLogic Server can be highly efficient as, unlike in the case of other attack vectors, no user interaction is required.
Oracle WebLogic Server is a Java EE application server that is part of the company’s Fusion Middleware offering. Vulnerabilities affecting this piece of software can be useful to attackers whose campaigns are aimed at enterprises.
According to Talos, the attackers used PowerShell commands to download and execute their malicious files. Talos and others pointed out that the ransomware is designed to allocate a unique alphanumeric extension to encrypted files on each compromised system.