Security researchers say DarkIRC botnet is currently targeting thousands of exposed Oracle WebLogic servers by exploiting vulnerabilities CVE-2020-14882. Hackers can exploit this vulnerability and take full control of a system by sending a simple HTTP GET request. The vulnerability has been assessed as critical, receiving a severity score of 9,8 out of 10, while affecting publications 10.3.6.0.0, 220.127.116.11.0, 18.104.22.168.0, 22.214.171.124.0 and 126.96.36.199 Oracle WebLogic Server.
The vulnerability was discovered by security researcher "Voidfyoo" of the Chaitin Security Research Lab. In accordance with Shodan, 2.973 Oracle WebLogic servers exposed in Internet are potentially vulnerable to remote attacks exploiting this vulnerability. Most of them systems are located at China (829), followed by USA (526) and the Iran (369).
In addition, researchers at Juniper Threat Labs observed at least five different variants of malicious payloads. One of the payloads that researchers have noticed that targets Oracle WebLogic servers is DarkIRC malware currently sold in hacking forums, priced at $ 75.
Searching for the cybercriminals behind this threat, the researchers discovered an account at Hack Forums with the name “Freak_OG” DarkIRC botnet has been advertising since August 2020. However, it is not clear if Freak_OG is behind the recent wave of attacks.
Intruders sent an HTTP GET request to a vulnerable WebLogic server, which ran a PowerShell script to download and run a binary file hosted on cnc [.] C25e6559668942 [.] Xyz.
DarkIRC botnet operators used encryption to avoid detection. Additionally, malware implements a function Bitcoin clipper to hack Bitcoin transactions on the infected system, changing the address of the Bitcoin wallet that has been copied to the Bitcoin wallet address of the malware operator.
In October, security researchers at the SANS Technology Institute created a collection of honeypots which allowed them to detect a series of attacks shortly after the publication of the exploit code for vulnerability CVE-2020-14882. Also, in early November, at least one ransomware The gang took advantage of the CVE-2020-14882 vulnerability that affects Oracle WebLogic servers.
Finally, CISA recommends that administrators apply the security update to secure their servers.