New Sodinokibi ransomware delivered via Oracle WebLogic vulnerability

News by Bradley Barth

Ransomware used Windows feature to delete shadow copies and prevent data recovery

A remotely exploitable vulnerability in the Oracle WebLogic Server is currently the attack vector of choice for malicious actors to deliver a newly discovered ransomware called Sodinokibi.

Sokinokibi encrypts data found in the user directory and leverages the Microsoft Windows vssadmin.exe utility to delete any "shadow copies" (created by default back-up mechanisms) in order to prevent data recovery, researchers from Cisco’s Talos threat research group have reported in a company blog post. The malware’s ransom note directs victims to either a .onion website or to the public domain decryptor[.]top to make a payment for a decryption program.

The server vulnerability, CVE-2019-2725, is a critical remote code execution flaw that is caused by a deserialisation error. Oracle patched the bug in an April 26 out-of-band security update after it was discovered that adversaries had been exploiting it earlier that month as a zero-day.

WebLogic users who have not downloaded the update remain prone to attack. Attackers can simply cause the servers to download a copy of Sodinokibi from a malicious IP address, without even having to trick the victim into performing an unsafe action.

In a case Talos has been investigating, the Sokinokibi actors first initiated their ransomware attack on April 25, the day before Oracle issued its security update.

"Due to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects widespread attacks involving CVE-2019-272," states the blog post, co-authored by researchers Pierre Cadieux, Colin Grady, Jaeson Schultz and Matt Valites.

During their investigation into one particular Sodinokibi infection, the researchers noticed the attackers attempted to exploit the WebLogic flaw a second time to infect the same victim with the better known Gandcrab ransomware

"Sodinokibi being a new flavour of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab," wrote the researchers, who in their blog post list a series of recommended countermeasures to defend against the attack.

James Hadley, CEO of Immersive Labs, told SC Media UK that as the Sodinokibi malware is able to spread without user interaction and encrypts files, the members of staff most at risk of falling victim to it will be the administrators who deal directly with the computer networks.

"This, coupled with the fact that it’s an entirely new piece of ransomware within the threat landscape, only compounds the importance for businesses to ensure their cyber and IT teams are constantly sharpening their skills. Those at the front line need to know exactly what they’re looking for, and in this case, they need to do as advised and use the patch that Oracle has released as a matter of urgency. Failing to do so means that the knock-on effect on day-to-day operations and, more broadly, business performance could be immense," he said.

The original version of this article was first published on SC Media US.

Additional reporting by Rene Millman.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike