Hackers Actively Exploiting a Critical Oracle WebLogic Vulnerability (CVE-2020-14882)

Recently, many hackers have started investigating all the server those are using the Critical Oracle WebLogic. It is vulnerable to a decisive flaw that enables the threat actors to control the system with limited effort and no authentication required.

The Oracle WebLogic Server is one of the most famous application servers used to create and expand all enterprise Java EE applications. According to cybersecurity researchers, the WebLogic Server has a flaw that is named CVE-2020-14882; this flaw stands in rank 9.8 out of 10 on the CVSS scale. 

On the other side, Oracle asserted that the attack is “low” in complication and needs no perquisites and no user communication. This flaw can easily be exploited by threat actors with network access through HTTP.

Vulnerable WebLogic Versions

There are a total of 5 vulnerable WebLogic versions that have been found in this attack, and here they are mentioned below:-

  • 10.3.6.0.0
  • 12.1.3.0.0
  • 12.2.1.3.0
  • 12.2.1.4.0 
  • 14.1.1.0.0

Hackers are actively looking for targets

According to the report of cybersecurity researcher, Voidfyoo of Chaitin Security Research Lab, Oracle has fixed the vulnerability this month by releasing a Critical Patch Update (CPU).

Moreover, the SANS Technology Institute had set up Honeypots that has detected the attacks soon after the exploit code for CVE-2020-14882 surfaced in the public space. After knowing that the threat actors are targeting their application, the company had urged customers to fast-track a fix for a critical flaw in its WebLogic Server under active attack. 

IP addresses used

The dean of research if SANS institute Mr. Johannes Ullrich, affirmed that the exploited attempts on the honeypots occur from the following IP addresses, and here they are mentioned below:-

  • 114.243.211.182 – Accredited to China Unicom
  • 139.162.33.228 – Accredited to Linode (U.S.A.)
  • 185.225.19.240 – Accredited to MivoCloud (Moldova)
  • 84.17.37.239 – Accredited to DataCamp Ltd (Hong Kong)

However, the SANS Institute has already started the method of alerting the corresponding internet service providers of the offensive activity from the IP addresses mentioned above. The exploits used in this attack seem to be based on the technical details pronounced by the security researcher Jang.

Apart from this, Oracle asserted that it had received various reports regarding the attackers, and the report claimed that the hackers were targeting the vulnerability that has been patched last month. 

That’s why the researchers warned in May 2019 that the malicious activity is exploiting a recently published Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725). This vulnerability also includes spreading the “Sodinokibi” ransomware as well.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Leave a Reply