Hackers are searching the Internet for computers that have not yet fixed a recently reported bug that is forcing Oracle's WebLogic server to execute malicious code, a researcher warned Wednesday evening.
Johannes Ullrich, dean of research at the SANS Technology Institute, said his organization's honeypots discovered Internet-wide scans looking for vulnerable servers. CVE-2020-14882 has a severity level of 9.8 out of 10 on the CVSS scale for tracking the vulnerability. The October Oracle Advisory, which is included in a patch, states that exploits are low in complexity and require low permissions and no user interaction.
"At this point, the scans slow down a bit," wrote Ullrich in a post. “However, they have reached saturation, which means that all IPv4 addresses have been checked for this vulnerability. If you find a vulnerable server on your network, suppose it has been compromised. "
Honeypots are servers that are intentionally exposed or not patched. They are intended to serve as a barometer for tracking internet attack activity. When hackers scan or exploit them, researchers know that certain security holes are threatened by attacks.
Ullrich said in an interview that SANS-Honeypots received GET web requests trying to query if a server is running a vulnerable version of WebLogic. The honeypots weren't set up to respond to being vulnerable. Therefore, he does not yet know whether the attackers are simply compiling a list of vulnerable computers or actively exploiting them as soon as they are found.
For the past few hours he has configured the servers to be classified as vulnerable. However, he has not yet seen any active exploits. He also said that it is possible that some of the scans were from people doing benign research.
The scans come under the warning that Russian ransomware hackers are targeting hundreds of US hospitals and health care providers. Exploits as effective as those against CVE-2020-14882 would likely provide all that it takes to initiate such an attack.
The vulnerable versions of WebLogic include 10.3.6.0.0, 184.108.40.206.0, 220.127.116.11.0, 18.104.22.168.0, and 22.214.171.124.0. Oracle blamed voidfyoo from the Chaitin Security Research Lab for its discovery.