New messages with compressed attachment, which contains a .doc file. This, if opened, contacts a link from an internal list that downloads the malware from the Epoch 2 botnet.
Cybercrime is still exploiting the WebLogic Server’s Remote Code Execution (RCE) CVE-2020-2883 vulnerability, patched un April, to launch waves of cyber attacks. Oracle: Update it now!
Cybercrime is exploiting a number of recently-patched vulnerabilities, including the Remote Code Execution (RCE) CVE-2020-2883, to launch waves of cyber attacks. It affects multiple versions of WebLogic Server. It has been denounced by Oracle cyber security experts, who already released a critical patch in April to cover the flaw. But, according to them, many users didn’t download it. So, malicious cyber actors are now known to be targeting unpatched servers. WebLogic is a Java-based middleware server that sits between a front-facing application and a database system, rerouting user requests and returning needed data. It is a wildly popular middleware solution, with tens of thousands of servers currently running online.
The cyber security experts: the flaw allows threat actors to send a malicious payload to a server, via its proprietary T3 protocol. This to run cryptocurrency miners or breach corporate networks and install ransomware
According to the cyber security experts, the Oracle WebLogic vulnerability allows cybercrime to send a malicious payload to a server, via its proprietary T3 protocol. ZDNet reports that the attack takes place when the server receives the data and unpacks (deserializes) it in an unsafe manner that also runs malicious code on the underlying WebLogic core, allowing the hacker to take control over unpatched systems. Moreover, no user authentication or interaction is needed to exploit the CVE-2020-2883, that can be exploited for integration in automated web-based attack tools and botnet operations. Current exploitation attempts appear to have started after proof-of-concept code was published on GitHub on April 15. Threat actors have been using these vulnerabilities to hijack servers to run cryptocurrency miners or breach corporate networks and install ransomware.