Oracle WebLogic Server was reported to have been actively exploited to distribute a new strain of ransomware, dubbed "Sodinokibi" which can trigger the deserialization of code to allow attackers to run arbitrary commands remotely on affected servers by sending a specially crafted HTTP request, without authorization.
While hackers are taking advantage of the newly discovered flaw, making it the primary attack vectors, to carry out cyber crimes like cryptomining, phishing, and ransomware attacks, as the ‘Sodinokibi’ ransomware attempts to encrypt all data in a directory.
Sodinokibi ransomware variant is more dangerous because it doesn't only encrypt files and ask for ransom, but also delete all backups from the system to prevent the victim from recovering their data. And other ransomware require some form of interaction from the user such as clicking on a malicious link, or downloading and running the malicious code to infect the system, Sodinokibi requires no form of interaction from the user to infect a system.
According to the researchers, after about eight hours of deploying Sodinokibi on a system, the attackers leverage the same WebLogic Server vulnerability to install a second piece of ransomware known as GandCrab.
The ransomware encrypts the target systems, showing a ransom note demanding about $2,500 in Bitcoin before granting the user access to their data. If the ransom isn't paid within a specified number of days, which timeline varies between 2 to 6 days, it then doubles the amount to $5,000.
The vulnerability marked as CVE-2019-2725, which affected all versions of the WebLogic software was given a severity score of 9.8 out of 10, but Oracle has now rolled out an out-of-band security update, just a day after it was made public. It is recommended that all organizations using the Oracle WebLogic Server should update their installations to the latest version of the software.