Oracle patched a vulnerability in their WebLogic server in October 2020 – eight days later working exploit code was published online and now it is being used by criminals.
CVE-2020-14882 allows an attacker to perform a Remote Code Execution attack with minimal effort or skill required. Juniper Networks security researchers reports at least five different payload and attack variations being delivered using this vulnerability. One example, the DarkIRC bot, can be bought as a kit on the dark web for just $75.
Soon after the vulnerability was disclosed in Oracle’s October security patch bundle, researchers at the Sans Internet Storm Center reported that mass scanning had been detected across the entire IP4 address space – leading them to comment: If you find a vulnerable server on your network: assume it has been compromised.
The vulnerability allows a specially crafted HTTP Get to execute a powershell script on the server which then downloads and installs a malware payload.
The speed and scale of the response by cyber criminals to the disclosure of this WebLogic vulnerability poses a challenge to security managers as waiting for the scheduled monthly patch cycles to be installed may be too slow a response to prevent systems from being compromised once widespread attacks begin against a newly published vulnerability. In addition to following the monthly patch cycle as a matter of course, an additional pro-active monitoring activity may be needed to identify critical vulnerabilities that need to be addressed immediately.