A recently discovered zero-day vulnerability has been abused for over a week to infect Oracle WebLogic servers with at least two strands of ransomware, security researchers from Cisco Talos have told ZDNet.
Crooks have abused this zero-day to install a new strand of ransomware called Sodinokibi, but also versions of the older and more well-known GandCrab ransomware, in some cases.
Inefficient targeting of WebLogic servers
These ransomware attacks are head-scratching for industry experts.
Oracle WebLogic is a type of web server that sits between the frontend and backend of large-scale web applications and has a very limited and narrow scope --to reroute web requests to the proper part of a backend and return results to the frontend.
It is a very simple, yet powerful, middleware tool, is easy to back up, and easy to reinstall within minutes. Because of this, installing ransomware on Oracle WebLogic servers is as useless as past ransomware campaigns that have targeted Magento or Drupal sites.
Server owners can easily restore from backups or reinstall a server without losing access to sensitive files since they only have to reinstall a few business logic apps, as most of the user data is saved somewhere inside a database, and safe from ransomware.
"It is like installing ransomware on a web server," Jaeson Schultz, Technical Leader at Cisco Talos told ZDNet in an email. "Because of this, the scope of the attack we investigated was severely limited."
"In this case, the victim had functioning backups, logs, and even packet captures of the offending activity, which greatly aided our analysis."
WebLogic zero-day has now received a patch
According to a report[1] Schultz's team published today, attackers exploited CVE-2019-2725, a zero-day in WebLogic