Oracle’s Weblogic CVE-2019-2725 CRITICAL vulnerability allows spreading of sodinokibi ransomware

Malicious users are exploiting a vulnerability in Oracle WebLogic CVE-2019-2725 to install a ransomware called Sodinokibi.

Once executed, the Trojan creates the followoing file:
[PATH TO ENCRYPTED FILES]\[RANDOM EXTENSION]-HOW-TO-DECRYPT.txt and deletes Shadow Volume Copies and disables Windows startup repair.

Next, the Trojan encrypts files on the compromised server. The Trojan appends a random extension to encrypted files that is unique for each compromised computer and creates the a ransom note file in each folder containing encrypted files: [PATH TO ENCRYPTED FILES]\[RANDOM EXTENSION]-HOW-TO-DECRYPT.txt

The ransom note informs the user their files have been encrypted and provides instructions on how they may pay to have the files decrypted.

Unfortunately CVE-2019-2725 is very easy for attackers to exploit, as anyone with HTTP access to a WebLogic server could carry out an attack. Because of this, the bug has a CVSS v3.0 Base Score: 9.8 CRITICAL.

So how safe are you feeling when vising a Weblogic server app these days? :/

Passionate Archer, Runner, Linux lover and JAVA Geek! That's about everything! He has worked for many years as an Software Architect designing and developing enterprize projects, e-banking and high availability portals with extensive experience in the public, european and private sectors. Having speaker in several confrences he never misses opportunities to interact with the OSS community. In his leisure time he either runs or shoots a lot of arrows!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.