Oracle servers targeted by new Linux malware to steal passwords, crypto

Representational image depecting cybersecurity protection

(Image credit: Shutterstock)

Criminals have been spotted abusing poorly-defended Oracle WebLogic servers to mine cryptocurrency, build a DDoS botnet, and more.

Cybersecurity researchers Aqua saw several attacks in the wild, and decided to run a honeypot. They then saw a threat actor break through the weak password that was set up, and proceed to install a piece of malware called Hadooken.

This malware, used in “a few dozen” attacks over the past couple of weeks, comes with two key functionalities - cryptocurrency mining, and a distributed denial of service (DDoS) botnet. Furthermore, the malware grants the attackers full control over the compromised endpoint.

Hadooken

Oracle WebLogic is a Java-based application server that enables the development, deployment, and management of enterprise-level applications.

A robust, scalable platform for distributed applications, many firms use it for web services, portals, and database connectivity. It is usually used to run large-scale, mission-critical applications in finance, telecommunications, and e-commerce. With all of its popularity, WebLogic is also a major target for cybercriminals since, as The Register reports, it “includes various vulnerabilities.”

So far, the researchers saw the hackers use Hadooken to mine crypto, while other functionalities are yet to be used. It was also said that Hadooken has traces of ransomware functionality. “It could be the threat actor will introduce this attack to a Linux ransomware as well, or it is already introduced if the malware runs on the system longer than a sandbox execution,” they said.

Tracing the IP addresses of the Hadooken malware, the researchers came to two IP addresses, one of which belongs to a UK hosting company, but is registered in Germany. “In the past this IP address was linked to TeamTNT and Gang 8220, but this weak link cannot attribute this attack to any of these threat actors,” the researchers said. The second IP address is registered in Russia, under the same hosting company. It is currently inactive.

Via The Register

More from TechRadar Pro

Teenage hacker arrested over TfL hack — as thousands of customer bank details confirmed stolen
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.