An unknown attacker is exploiting weak passwords to break into Oracle WebLogic servers and deploy an emerging Linux malware called Hadooken, according to researchers from cloud security outfit Aqua.
it is unclear if the malware is being deployed in a concerted campaign: Aqua lead data analyst Assaf Morag told The Register that his team "saw a few dozen attacks over the past couple of weeks."
WebLogic is a platform for running applications at enterprise scale, and is often present at financial services providers, e-commerce operations, and other business-critical systems. It is frequently abused as it includes various vulnerabilities.
Aqua caught the malware in a honeypot WebLogic server. The attack exploited a weak password to gain entry, then remotely executed malicious code. The first payload runs a shell script called "c" and a Python script called "y" – both of which attempted to download Hadooken.
Hadooken, likely named after an attack in the Street Fighter videogame series, contains a cryptominer and the Tsunami malware – a DDoS botnet and backdoor that gives attackers full remote control over an infected machine.
Aqua's threat hunters observed they have not seen evidence of Tsunami running, but they speculated it could be used later.
The malware also creates multiple cronjobs to maintain persistence. The shell script that starts the fun can also steal user credentials and other secrets, which attackers use to move laterally and attack other servers.
- Adobe fixed Acrobat bug, neglected to mention whole zero-day exploit thing
- AWS 'Bucket Monopoly' attacks could allow complete account takeover
- PowerShell? More like PowerHell: Microsoft won't fix flaws in package gallery ripe for supply chain attacks
- I stole 20GB of data from Capgemini – and now I'm leaking it, says cyber-crook
Aqua traced the downloaded Hadooken malware back to two IP addresses. One of which is associated with a UK-based hosting company. There is no suggestion the company has a role in any malware campaign.
"TeamTNT and Gang 8220 used this IP in the past but that doesn't say anything about potential attribution," Morag explained.
Aqua also wrote that its researchers’ analysis of the Hadooken binary suggests links to the RHOMBUS and NoEscape ransomware strains.
"Thus we can assume that the threat actors [are] targeting … Windows endpoints to execute a ransomware attack, but also Linux servers to target software often used by big organizations to launch backdoors and cryptominers," Morag wrote in a report about Hadooken published on Thursday. ®