Oracle servers targeted by new Linux malware to steal passwords, crypto

Hackers are exploiting weak Oracle WebLogic servers to deploy malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Criminals have been spotted abusing poorly-defended Oracle WebLogic servers to mine cryptocurrency, build a DDoS botnet, and more.

Cybersecurity researchers Aqua saw several attacks in the wild, and decided to run a honeypot. They then saw a threat actor break through the weak password that was set up, and proceed to install a piece ofmalwarecalled Hadooken.

This malware, used in “a few dozen” attacks over the past couple of weeks, comes with two key functionalities - cryptocurrency mining, and a distributed denial of service (DDoS) botnet. Furthermore, the malware grants the attackers full control over the compromised endpoint.

Hadooken

Oracle WebLogic is a Java-based application server that enables the development, deployment, and management of enterprise-level applications.

A robust, scalable platform for distributed applications, many firms use it for web services, portals, and database connectivity. It is usually used to run large-scale, mission-critical applications in finance, telecommunications, and e-commerce. With all of its popularity, WebLogic is also a major target for cybercriminals since, asThe Registerreports, it “includes various vulnerabilities.”

So far, the researchers saw the hackers use Hadooken to mine crypto, while other functionalities are yet to be used. It was also said that Hadooken has traces of ransomware functionality. “It could be the threat actor will introduce this attack to a Linuxransomwareas well, or it is already introduced if the malware runs on the system longer than a sandbox execution,” they said.

Tracing the IP addresses of the Hadooken malware, the researchers came to two IP addresses, one of which belongs to a UK hosting company, but is registered in Germany. “In the past this IP address was linked to TeamTNT and Gang 8220, but this weak link cannot attribute this attack to any of these threat actors,” the researchers said. The second IP address is registered in Russia, under the same hosting company. It is currently inactive.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaThe Register

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Your doctor may have an AI assistant taking notes during your next Zoom call