Hadooken malware targeting Oracle WebLogic servers

Read Time:1 Minute, 45 Second

Oracle WebLogic Server, a widely used application server for enterprise applications, has recently become a target of a new Linux malware known as Hadooken. This malicious program exploits weak administrator credentials to gain access and deploy malicious payloads.
Attack Flow and Tactics:
Hadooken employs a sophisticated attack flow involving the use of shell and Python scripts to download and execute payloads in non-persistent directories. It drops a cryptominer and Tsunami malware, which provide a foothold for further exploitation. The malware maintains persistence through cron jobs and evades detection using techniques such as base64 encoding and process masquerading.
Lateral Movement and Ransomware Distribution:
The malware attempts lateral movement by searching for SSH data in various directories. It also has links to potential ransomware distribution, with associated IP addresses connected to Mallox ransomware. A related PowerShell script distributes Mallox, indicating a multi-platform attack strategy.
Vulnerability Impact:
Shodan reveals that over 230,000 internet-connected WebLogic servers are vulnerable to exploitation due to exposed admin consoles. This poses a significant threat to organizations using these servers.
MITRE ATT&CK Framework Analysis:
The Hadooken malware exhibits the following MITRE ATT&CK techniques:

  • Initial Access: Exploit Public-Facing Application
  • Persistence: Cron Job
  • Privilege Escalation: Local
  • Lateral Movement: SSH Lateral Movement
  • Command and Control: Command and Scripting Interpreter
  • Defense Evasion: Process Injection
  • Impact: Cryptojacking
    Mitigation Measures:
    Organizations can implement the following mitigation measures to protect against Hadooken and similar threats:
  • Use IaC scanning tools to detect misconfigurations before deployment.
  • Implement CSPM tools to scan cloud configurations for risks.
  • Scan Kubernetes clusters for misconfigurations.
  • Secure container images and Docker files.
  • Continuously monitor runtime environments.
    Indicators of Compromise (IOCs):
    The following IOCs are associated with the Hadooken malware:
  • Cryptominer: MD5: 9bea7389b633c331e706995ed4b3999c
  • Tsunami Malware: MD5: 8eef5aa6fa9859c71b55c1039f02d2e6
    Conclusion:
    The Hadooken malware poses a significant threat to organizations using Oracle WebLogic servers. Cybersecurity professionals should be aware of this emerging threat and implement the recommended mitigation measures to protect their systems. By adopting a proactive approach and staying informed about the latest cyber threats, organizations can minimize the risk of compromise and ensure the security of their infrastructure.

Leave a Reply

Your email address will not be published. Required fields are marked *