New Sodinokibi Ransomware Delivered via Oracle WebLogic Flaw

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,165
Content source
https://www.securityweek.com/new-sodinokibi-ransomware-delivered-oracle-weblogic-flaw
A critical Oracle WebLogic Server vulnerability patched last week has been exploited by malicious actors to deliver a new piece of ransomware to organizations.

The ransomware, named Sodinokibi, is designed to encrypt files and delete backups in an effort to prevent victims from recovering their files without paying a ransom. It has been analyzed by independent researchers, South Korean cybersecurity firm EST Security, Cisco’s Talos research and intelligence group, and others.

Talos researchers were the ones who spotted Sodinokibi being delivered via the recently fixed WebLogic Server flaw. Deploying ransomware via a vulnerability in WebLogic Server can be highly efficient as, unlike in the case of other attack vectors, no user interaction is required.

Oracle WebLogic Server is a Java EE application server that is part of the company’s Fusion Middleware offering. Vulnerabilities affecting this piece of software can be useful to attackers whose campaigns are aimed at enterprises.

According to Talos, the attackers used PowerShell commands to download and execute their malicious files. Talos and others pointed out that the ransomware is designed to allocate a unique alphanumeric extension to encrypted files on each compromised system.
Click to expand...
 
  • Like
Reactions: Andy Ful, upnorth and harlan4096
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
image6.jpg
Historically, most varieties of ransomware have required some form of user interaction, such as a user opening an attachment to an email message, clicking on a malicious link, or running a piece of malware on the device. In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses...
Click to expand...
blog.talosintelligence.com

Sodinokibi ransomware exploits WebLogic Server vulnerability

By Pierre Cadieux, Colin Grady, Jaeson Schultz and Matt Valites. Attackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of ransomware called "Sodinokibi." Sodinokibi attempts to encrypt data in a user's directory and delete shadow copy...
blog.talosintelligence.com blog.talosintelligence.com
 
  • Like
  • Thanks
Reactions: stefanos, silversurfer and harlan4096
You must log in or register to reply here.

Similar threads

[correlate]
    • Like
Security News 8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware
Replies
0
Views
604
Security News
[correlate]
[correlate]
silversurfer
    • Like
    • +Reputation
New ScrubCrypt Crypter Used in Cryptojacking Attacks Targeting Oracle WebLogic
Replies
1
Views
601
News Archive
MuzzMelbourne
MuzzMelbourne
upnorth
    • +Reputation
    • Like
Asus Router Access, information disclosure, Denial of Service Vulnerabilities discovered
Replies
0
Views
600
News Archive
upnorth
upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top