Hackers Attacking WebLogic Servers via CVE-2020–14882 Flaw to install Cobalt Strike Malware


Aggressors are discovered to be exploiting Oracle WebLogic Servers through CVE-2020– 14882 to install Cobalt Strike which will allow persistent remote access to the compromised devices.

Checking the vulnerability

The latter half of last week saw a flurry of scans versus Oracles WebLogic Server to examine the vulnerability of CVE-2020-14882.

It is necessary to keep in mind that CVE-2020-14882 was covered a couple of weeks back and this was covered by us in excellent information.

On Friday, Oracle amended its spot for CVE-2020– 14882 [2] A new variation of the vulnerability (CVE-2020– 14750) can be used to make use of WebLogic servers with an insignificant adjustment of the exploit code.

In addition to the scans browsing for vulnerabilities, it was found to be a few trying to set up crypto-mining tools.

What is a Cobalt Strike?

Cobalt Strike is a genuine penetration screening tool that is used by hazard actors in the post-exploitation jobs and to release beacons that allow them to acquire constant remote access.

This later allows them to access the jeopardized servers to harvest data and to deploy the second phase of malware payloads.

How did the attack occur?

Cobalt Strike is generally used to find system penetration but though the tool is planned to do great, cybercriminals have actually utilized this tool for destructive intents and purposes.

The opponents are using a chain of base64-encoded Powershell scripts to install and download Cobalt Strike payloads on unpatched Oracle WebLogic servers.

The Cisco Talos Q4 2020 CTIR report specifies that of all the ransomware attacks this quarter, 66% of them involved using Cobalt Strike

The result of this operation is a shellcode to download and carry out a Cobalt Strike payload.

Immediate Action advised

You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity and hacking news updates.

The Cybersecurity and Infrastructure Security Agency (CISA) likewise advised administrators to apply the security update as soon as possible to deal with the 2 vital vulnerabilities.

As both CVE-2020-14882 and CVE-2020-14750 can easily be exploited by unauthenticated assailants to take control of susceptible WebLogic servers, Oracle recommends business to immediately use the security updates to block attacks.

2] A brand-new variation of the vulnerability (CVE-2020– 14750) can be utilized to exploit WebLogic servers with a minor modification of the make use of code.