Earlier this month, the company fixed over 400 vulnerabilities in their products, and among them was a critical issue with identifier CVE-2020-14882, which scored 9.8 out of 10 on the CVSS vulnerability rating scale.
This vulnerability is associated with Oracle WebLogic (versions 10.3.6.0.0, 22.214.171.124.0, 126.96.36.199.0, 188.8.131.52.0 and 184.108.40.206) and, in fact, allows you to hack vulnerable systems using a simple HTTP request GET. Since the problem is extremely easy to operate, information security specialists expected that hackers would soon take it on board. And so it happened.
Honeypots created by experts from the SANS Institute are already discovered the first attacks for the vulnerability, since an exploit for CVE-2020-14882 has recently appeared in the public domain. According to researchers, attacks come from the following IP addresses:
• 220.127.116.11 (China Unicom, China);
• 18.104.22.168 (Linode, USA);
• 22.214.171.124 (MivoCloud, Moldova);
• 126.96.36.199 – (DataCamp Ltd, Hong Kong).
So far, most attacks are simple pings of potential targets and a search for vulnerable systems, although hackers operating from the MivoCloud IP address have already tried to execute the cmd / c command. At the same time, SANS specialists cannot provide more detailed information about subsequent requests, since decoy systems are configured in such a way as not to respond with the correct answer.
The exploit that the hackers used for these attacks appears to be based on a publication by a Vietnamese cybersecurity researcher who devoted this week to the issue extended article on my blog.
There are currently over 3,000 Oracle WebLogic servers currently on the network, potentially vulnerable to CVE-2020-14882, according to Spyse.