Oracle servers targeted by new Linux malware to steal passwords and cryptocurrencies
Criminals have been spotted abusing poorly secured Oracle WebLogic servers to mine cryptocurrency, build a DDoS botnet, and more.
Cybersecurity researchers Aqua saw several attacks in the wild and decided to run a honeypot. They then saw a threat actor crack the weak password that had been set and install a piece of malware called Hadooken.
The malware, which has been used in “several dozen” attacks in recent weeks, has two main functionalities: cryptocurrency mining and a distributed denial of service (DDoS) botnet. Additionally, the malware gives attackers full control over the compromised endpoint.
Hadouken
Oracle WebLogic is a Java-based application server that enables you to develop, deploy, and manage enterprise-class applications.
A robust, scalable platform for distributed applications, many companies use it for web services, portals, and database connectivity. It is most commonly used to run large-scale, mission-critical applications in finance, telecommunications, and e-commerce. With all its popularity, WebLogic is also a prime target for cybercriminals, since, as The register According to reports, it contains “several vulnerabilities.”
So far, the researchers have seen the hackers use Hadooken to mine crypto, while other functionalities have not been used yet. Hadooken was also said to have traces of ransomware functionality. “It is possible that the threat actor is also introducing this attack on a Linux ransomware, or that it has already been introduced if the malware has been running on the system for longer than a sandboxed execution,” they said.
By tracing the IP addresses of the Hadooken malware, the researchers were able to identify two IP addresses, one of which belongs to a British hosting company, but is registered in Germany. “In the past, this IP address was associated with TeamTNT and Gang 8220, but this weak link cannot attribute this attack to either threat actor,” the researchers said. The second IP address is registered in Russia, under the same hosting company. It is currently inactive.
Via The register
