CISA warns of active exploits of old Oracle WebLogic flaws
Take action: If you are using old Oracle Weblogic servers, you should either retire them or patch them ASAP. Because you shouldn't allow criminals to mine cryptocurrency on your servers through a 7 year old vulnerability - it's just embarrassing
Learn More
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is reporting that old Oracle WebLogic vulnerability is being exploited by Chinese hackers to deploy cryptocurrency miners.
The vulnerability, tracked as CVE-2017-3506 (CVSS score 7.4), affects Oracle WebLogic Server and allows unauthenticated attackers to access or modify data, enabling arbitrary OS command execution through specially crafted HTTP requests. Oracle addressed this issue in 2017.
The first signs of potential exploitation in the wild appeared in 2018, during an analysis of attacks aimed at extracting payment card data from U.S. cities using Click2Gov software for utility bill payments. At that time, FireEye indicated that CVE-2017-3506 was among three Oracle WebLogic vulnerabilities possibly exploited during the initial phase of the attacks.
In May 2023, cybersecurity firm Trend Micro reported that the threat group 8220 Gang (also known as 8220 Mining Group) had been exploiting this and other vulnerabilities to deploy cryptocurrency miners on both Windows and Linux systems. More recently, on May 30, 2024, Trend Micro provided an update on the activities of this group, now tracked as Water Sigbin. The firm described Water Sigbin as a China-based threat actor that continues to exploit CVE-2017-3506, along with a newer Oracle WebLogic Server vulnerability, CVE-2023-21839.
CISA has instructed government organizations to address the flaw by June 24, 2024.
