{"id":48436,"date":"2022-09-14T00:00:00","date_gmt":"2022-09-14T00:00:00","guid":{"rendered":"urn:uuid:cd8c0752-b3bc-e170-a658-a1ff203bca26"},"modified":"2022-09-14T00:00:00","modified_gmt":"2022-09-14T00:00:00","slug":"a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerabilities\/","title":{"rendered":"A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities"},"content":{"rendered":"

<\/p>\n

<\/div>\n
\n
\n

Using Workload Security to detect WebLogic vulnerability exploitation<\/span><\/h3>\n

Workload Security\u2019s correlation of telemetry and detections provided the initial security context in this campaign, which allowed security teams and analysts to track and monitor the malicious actor\u2019s activities.<\/p>\n

The following Workload Security modules worked to detect the exploitation of CVE-2020-14882 on vulnerable systems:<\/p>\n

Intrusion prevention system module<\/i><\/b><\/p>\n

Workload Security\u2019s intrusion prevention system module can tap into incoming traffic and effectively block and detect malicious network traffic. This module includes multiple IPS rules that can block the vulnerability exploitation of the WebLogic server. One of these is IPS rule 1010590 – Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882, CVE-2020-14750 and CVE-2020-14883), which can detect and block the exploitation of vulnerabilities assigned to both CVE-2020-14882\u202fand\u202fCVE-2020-14883.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

In figure 4, the malicious actor sent a crafted request that attempted to access the console.portal <\/i>resource under the \u201cimages\u201d <\/i>directory. The \u201c%252e%252e<\/i>\u201d is a double URL-encoded string of the \u201c..\u201d directory traversal pattern. Because the class managing the targeted resource did not validate the input, it automatically computed the code that the attacker provided. In this case, the attacker forced the server to read the contents of the wb.xml<\/i> file, which downloaded a shell script with the following contents:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Antimalware module<\/i><\/b><\/p>\n

This module provides real-time protection against the exploitation of this vulnerability using behavior-monitoring features. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Web reputation module<\/i><\/b><\/p>\n

The web reputation module\u202fprotects systems against web threats by blocking access to malicious URLs. In our investigation, this module immediately identified and blocked the wb.sh<\/i> script\u2019s attempt to download the Kinsing malware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Activity monitoring module<\/i><\/b><\/p>\n

This module can detect process, file, and network activities on endpoints that are running the Cloud One Workload Security solution. As seen on figure 13, the activity monitoring module detected the Java process that was attempting to open a bash shell.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

A closer look at the WebLogic vulnerability exploitation using Trend Micro Vision One and Trend Micro Cloud One<\/span><\/h3>\n

In our investigation of this Kinsing campaign, Trend Micro Vision One provided real-time details into the paths and events related to this attack. This section provides insights on the activities performed by the downloaded shell script, the detections provided by the Trend Micro Cloud One and Trend Micro Vision One solutions, and how the said solutions provide information on every step of the malware’s behavior.<\/p>\n

<\/h2>\n

After the successful exploitation of the vulnerability, the wb.sh<\/i> file was downloaded into the host machine. In infected machines that do not run Workload Security and Vision One, it would attempt to perform the following malicious actions:<\/p>\n

1.     The script would check if the \u201c\/tmp\/zzza<\/i>\u201d <\/b>file was present, which would then trigger the script to stop. <\/b>Otherwise, it would create an empty file and would perform the other actions. It is a flag used to verify that two or more instances are not running on the same host. This file can also be used to stop further infections if created manually.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

2.     The script would increase the resource limit using the \u201culimit<\/i>\u201d <\/i>command and remove the \/var\/log\/syslog<\/i> file. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

3.     It would make multiple files immutable so that it can update them. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

4.     It would also disable multiple security features within the system.<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

5.     It would disable \u201dalibaba,\u201d \u201dbydo,\u201d and \u201cqcloud\u201d cloud service agents.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

6.     Like other cryptocurrency-mining malware, it would start removing or killing off other cryptocurrency miners\u2019 processes within the infected system.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

7.     It would also remove some Docker images that belonged to other cryptocurrency-mining malware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

8.     Until this point, the script worked as a stager \u2014 it would remove the files and processes that were related to other cryptominers and malware families. It would also disable security features and would modify the attributes of important files so that they can be manipulated. After the script performs all these steps, it would then download the\u202fKinsing\u202f<\/b>malware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

9.     It would check if the user was root or not and would then select the path and utility (wget and curl) to download the malicious binary.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

10.     It would then create a cronjob to download the wb.sh<\/i> script.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Observed attack techniques (OATs)<\/i><\/b><\/p>\n

Observed attack techniques (OATs) are generated from individual events that provide security value. To investigate possible attempts of exploitation using this vulnerability, analysts can look for these OAT IDs from many other helper OAT triggers that can indicate suspicious activities on the affected host.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

<\/h2>\n

The Trend Micro Vision One Workbench app helps analysts see the significant correlated events that are intelligently based on the occurrences that happened throughout the entire fleet of workloads.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

The left side of figure 25 shows the summarized sequence of events. Meanwhile, security analysts can view the different fields of interest that are considered important and provide security value on the right side. The app allows security teams to see compromised assets and isolate those that can be potentially affected while patching and mitigation procedures are in progress.<\/p>\n

Execution profile<\/i><\/b><\/p>\n

Execution profile is a Trend Micro Vision One feature that generates graphs for security defenders. Fields like \u201cprocessCmd\u201d and \u201cobjectCmd\u2019 can be expanded from the search app or the threat hunting app to look for different activities in any given period. These activities include process creation, file creation, and inbound and outbound network activity.<\/p>\n

If \u201cCheck Execution Profile\u201d is selected, a security analyst can go through the extensive list of actions that a malicious actor has performed.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Threat hunting queries<\/i><\/b><\/p>\n

To hunt down potential malicious activity within the environment, security analysts can use the following queries using the Trend Micro Vision One search app:<\/p>\n

1. To find the potential misuse of Java applications to open bash process: processFilePath:\/bin\/java AND objectFilePath:\/usr\/bin\/bash<\/i> <\/p>\n

2. To find the use of curl or wget initiated by Java via bash:<\/p>\n

a.      processFilePath:\/bin\/java AND objectFilePath:\/usr\/bin\/bash AND (objectCmd:curl <\/i>or objectCmd:wget)<\/i><\/p>\n

3. To find the execution of Base64-decoded string execution by Java via bash:<\/p>\n

a.      processFilePath:\/bin\/java AND objectFilePath:\/usr\/bin\/bash AND objectCmd:base64<\/i><\/p>\n

How Trend Micro Vision One and Trend Micro Cloud One \u2013 Workload Security can help thwart vulnerability exploitation<\/span><\/h2>\n

In this blog entry, we discussed how malicious actors exploited a two-year-old vulnerability and attempted to deploy the Kinsing malware into a vulnerable system. The successful exploitation of this vulnerability can lead to RCE, which can allow attackers to perform a plethora of malicious activities on affected systems. This can range from malware execution, as in the case of our analysis, to theft of critical data, and even complete control of a compromised machine.<\/p>\n

Trend Micro Vision One<\/a> helps security teams gain an overall view of attempts in ongoing campaigns by providing them a correlated view of multiple layers such as email, endpoints, servers, and cloud workloads. Security teams can gain a broader perspective and a better understanding of attack attempts and detect suspicious behavior that would otherwise seem benign when viewed from a single layer alone.<\/p>\n

Meanwhile, Trend Micro Cloud One \u2013 Workload Security<\/a> helps defend systems against vulnerability exploits, malware, and unauthorized change. It can protect a variety of environments such as virtual, physical, cloud, and containers. Using advanced techniques like machine learning (ML) and virtual patching, the solution can automatically secure new and existing workloads both against known and new threats.<\/p>\n

MITRE ATT&CK Technique IDs<\/b><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
Technique<\/b><\/td>\nID<\/b><\/td>\n<\/tr>\n
Exploit Public-Facing Application<\/td>\nT1190<\/td>\n<\/tr>\n
Command and Scripting Interpreter:\u202fUnix Shell<\/td>\nT1059.004<\/td>\n<\/tr>\n
Resource Hijacking<\/td>\nT1496<\/td>\n<\/tr>\n
Indicator Removal on Host: Clear Linux or Mac System Logs<\/td>\nT1070.002<\/td>\n<\/tr>\n
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification<\/td>\nT1222.002<\/td>\n<\/tr>\n
Impair Defenses: Disable or Modify System Firewall<\/td>\nT1562.004<\/td>\n<\/tr>\n
\u202fIndicator Removal on Host: File Deletion<\/td>\nT1070.004<\/td>\n<\/tr>\n
Scheduled Task\/Job:\u202fCron<\/td>\nT1053.003<\/td>\n<\/tr>\n
Impair Defenses:\u202fDisable Cloud Logs<\/td>\nT1562\/008<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

IOCs<\/b><\/p>\n

URLs:<\/b><\/p>\n