Hackers are scanning the Internet for machines that have yet to patch a recently disclosed flaw that force Oracle’s WebLogic server to execute malicious code, a researcher warned Wednesday night.
Johannes Ullrich, dean of research at the SANS Technology Institute, said his organization’s honeypots had detected Internetwide scans that probe for vulnerable servers. CVE-2020-14882, as the vulnerability is tracked, has a severity rating of 9.8 out of 10 on the CVSS scale. Oracle’s October advisory accompanying a patch said exploits are low in complexity and require low privileges and no user interaction.
“At this point, we are seeing the scans slow down a bit,” Ullrich wrote in a post. “But they have reached ‘saturation’ meaning that all IPv4 addresses have been scanned for this vulnerability. If you find a vulnerable server in your network: Assume it has been compromised.”
Honeypots are servers that are deliberately left exposed or unpatched. They’re meant to act as a barometer for tracking Internet attack activity. When hackers scan or exploit them, researchers know that specific vulnerabilities are under threat of attack.
Ullrich said in an interview that SANS honeypots have received GET Web requests that attempt to query whether a server is running a vulnerable version of WebLogic. The honeypots weren’t set up to respond that they were vulnerable, so he doesn’t yet know if the attackers are simply compiling a list of vulnerable machines or are actively exploiting them once they’re found.
In the past few hours, he configured the servers to indicate they’re vulnerable, but so far he has yet to see active exploits. He also said it’s possible that some of the scans are coming from people doing benign research.
The scans come amid warnings that Russian ransomware hackers are targeting hundreds of US hospitals and healthcare providers. Exploits as potent as those against CVE-2020-14882 would likely provide everything needed to initiate such an attack.
Vulnerable versions of WebLogic include 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Oracle credited voidfyoo of Chaitin Security Research Lab with its discovery.
