Hackers are actively exploiting unrepaired Oracle WebLogic servers against CVE-2020-14882 to develop Cobalt Strike beacons that allow constant remote access to compromised devices.
Cobalt Strike is a legitimate penetration testing tool used by hackers in post-breach tasks and to development of so-called beacons that allow them to gain constant remote access.
This later allows them to access the compromised servers to collect data and develop malware payloads.
Incoming ransomware attacks
CVE-2020-14882 (RCE) Remote Code Defect was fixed by Oracle during last month's Critical Patch Update and used by invaders for scan for exposed WebLogic servers one week later.
Since then, a relative vulnerability RCE without authentication referred to as CVE-2020-14750 - which also allows unauthorized retrieval of unpatched instances - was addressed by a security update released last weekend.
This last series attacks targeting vulnerable WebLogic instances launched over the weekend, as SANS ISC operator Renato Marinho revealed in an advisory.
Attackers use a chain of scripts Powershell with base64 encoding to download and install Cobalt Strike payloads on unpatched Oracle WebLogic servers.
Administrators were prompted to fix the systems immediately
As both CVE-2020-14882 and CVE-2020-14750 can be easily exploited by unauthorized invaders to withdraw vulnerable WebLogic servers, Oracle advises companies to apply immediately security updates to block them attacks.
"Because of the seriousness of this vulnerability, Oracle recommends that customers implement them updates provided by this Security Alert as soon as possible after the implementation of the Critical Patch Update of October 2020 ″, the company said in the weekend advisory.
CISA also called them managers apply the update security as soon as possible to address the two critical vulnerabilities.
Source of information: bleepingcomputer.com
Greek
Chinese (Simplified)
English
Greek
Russian