Hackers are on the hunt for Oracle servers vulnerable to potent exploit

reader comments

42 with 30 posters participating

Hackers are scanning the Internet for machines that have yet to patch a recently disclosed flaw that force Oracle’s WebLogic server to execute malicious code, a researcher warned Wednesday night.

Johannes Ullrich, dean of research at the SANS Technology Institute, said his organization’s honeypots had detected Internetwide scans that probe for vulnerable servers. CVE-2020-14882, as the vulnerability is tracked, has a severity rating of 9.8 out of 10 on the CVSS scale. Oracle’s October advisory accompanying a patch said exploits are low in complexity and require low privileges and no user interaction.

“At this point, we are seeing the scans slow down a bit,” Ullrich wrote in a post. “But they have reached ‘saturation’ meaning that all IPv4 addresses have been scanned for this vulnerability. If you find a vulnerable server in your network: Assume it has been compromised.”

Honeypots are servers that are deliberately left exposed or unpatched. They’re meant to act as a barometer for tracking Internet attack activity. When hackers scan or exploit them, researchers know that specific vulnerabilities are under threat of attack.

Ullrich said in an interview that SANS honeypots have received GET Web requests that attempt to query whether a server is running a vulnerable version of WebLogic. The honeypots weren’t set up to respond that they were vulnerable, so he doesn’t yet know if the attackers are simply compiling a list of vulnerable machines or are actively exploiting them once they’re found.

In the past few hours, he configured the servers to indicate they’re vulnerable, but so far he has yet to see

Continue reading – Article source