Oracle WebLogic Server, a widely used application server for enterprise applications, has recently become a target of a new Linux malware known as Hadooken. This malicious program exploits weak administrator credentials to gain access and deploy malicious payloads.
Attack Flow and Tactics:
Hadooken employs a sophisticated attack flow involving the use of shell and Python scripts to download and execute payloads in non-persistent directories. It drops a cryptominer and Tsunami malware, which provide a foothold for further exploitation. The malware maintains persistence through cron jobs and evades detection using techniques such as base64 encoding and process masquerading.
Lateral Movement and Ransomware Distribution:
The malware attempts lateral movement by searching for SSH data in various directories. It also has links to potential ransomware distribution, with associated IP addresses connected to Mallox ransomware. A related PowerShell script distributes Mallox, indicating a multi-platform attack strategy.
Vulnerability Impact:
Shodan reveals that over 230,000 internet-connected WebLogic servers are vulnerable to exploitation due to exposed admin consoles. This poses a significant threat to organizations using these servers.
MITRE ATT&CK Framework Analysis:
The Hadooken malware exhibits the following MITRE ATT&CK techniques:
- Initial Access: Exploit Public-Facing Application
- Persistence: Cron Job
- Privilege Escalation: Local
- Lateral Movement: SSH Lateral Movement
- Command and Control: Command and Scripting Interpreter
- Defense Evasion: Process Injection
- Impact: Cryptojacking
Mitigation Measures:
Organizations can implement the following mitigation measures to protect against Hadooken and similar threats: - Use IaC scanning tools to detect misconfigurations before deployment.
- Implement CSPM tools to scan cloud configurations for risks.
- Scan Kubernetes clusters for misconfigurations.
- Secure container images and Docker files.
- Continuously monitor runtime environments.
Indicators of Compromise (IOCs):
The following IOCs are associated with the Hadooken malware: - Cryptominer: MD5: 9bea7389b633c331e706995ed4b3999c
- Tsunami Malware: MD5: 8eef5aa6fa9859c71b55c1039f02d2e6
Conclusion:
The Hadooken malware poses a significant threat to organizations using Oracle WebLogic servers. Cybersecurity professionals should be aware of this emerging threat and implement the recommended mitigation measures to protect their systems. By adopting a proactive approach and staying informed about the latest cyber threats, organizations can minimize the risk of compromise and ensure the security of their infrastructure.