Cybersecurity Threat Advisory 0021-19: New ‘Sodinokibi’ Ransomware Exploits WebLogic Deserialization Remote Code Execution Vulnerability (CVE-2019-2725)

 What is the threat?A zero-day vulnerability in Oracle WebLogic Servers is actively being exploited in the wild by a sophisticated new ransomware variant dubbed “Sodinokibi”. The ransomware variant attempts to encrypt data found in the user directory and leverages the Microsoft Windows vssadmin.exe utility to delete any shadow copy backups to make data recovery more difficult. The critical remote code execution vulnerability has a CVSS score of 9.8/10 because the flaw is remotely exploitable without the need for authentication and anyone with HTTP access to the WebLogic server can attempt to execute an attack. 


Why is this noteworthy?Malicious actors are actively exploiting the flaw in Oracle WebLogic to install the new ransomware variant. Typically, ransomware variants require user interaction but the Sodinokibi ransomware does not require clicking or any other form of user interaction. Attackers are leveraging the flaw to easily install the ransomware from malicious IPs by sending an HTTP POST request to the target server, containing a PowerShell command to download the malicious executable. 


What is the exposure or risk?Oracle WebLogic Servers that have not been updated with the latest patch remain prone to the attack. Successful exploitation of the vulnerability can result in the takeover of the target WebLogic Server. Additionally, successful exploitation can lead to a breach and/or significant data loss if unrecoverable. 
Versions Oracle WebLogic Server’s Affected:• 10.3.6.0• 12.1.3.0


What can you do?SkOUT recommends installing the patch released by Oracle for the deserialization vulnerability in Oracle WebLogic Server WebLogic Servers (CVE-2019-2725) as soon as possible; reference link to Oracle’s patch information can be found directly below. 
Oracle Security Alert Advisory – CVE-2019-2725:https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html
If you are a victim of a ransomware attack, SkOUT Recommends: • Do not pay the ransom• Do not attempt to contact the adversary

References:For more in-depth information about the recommendations, please visit the following link:

  • https://arstechnica.com/information-technology/2019/04/zeroday-attackers-deliver-a-double-dose-of-ransomware-no-clicking-required/
  • https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html
  • https://blog.rapid7.com/2019/05/03/weblogic-deserialization-remote-code-execution-vulnerability-cve-2019-2725-what-you-need-to-know/
  • https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/

If you have any questions, please contact our Secure Intelligence Center 855.838.4500 | +1.631.622.9467
Find Trouble Before Trouble Finds You.