Threat Watch

Oracle WebLogic Bug Exploited to Drop Cobalt Strike

Following the recent release of proof-of-concept code to exploit CVE-2020-14882, several opportunistic threat actors are attempting to use the exploit to gain a foothold on vulnerable Oracle WebLogic devices and drop Colbalt Stike Beacon. Cobalt Strike is a powerful post-compromise tool that is commercially available to legitimate security teams and service providers engaged in attacker simulation efforts, but unlicensed versions of Cobalt Strike are also used extensively by actual threat actors to achieve domain control and distribute ransomware. If Cobalt Strike software is used against a company that has not commissioned a red team engagement, the likelihood of ransomware being dropped increases dramatically. Oracle urges organizations to patch as soon as possible to mitigate risk.

ANALYST NOTES

Vulnerability management and patch management are not simple by any means. However, when a vulnerability is known to be actively exploited in the wild and it allows unauthenticated remote code execution, that patch should be prioritized as a critical emergency to install, and mitigation/detection efforts should be put into place as soon as possible. If critical patches are not implemented, it will have incredibly harmful implications down the line. The cost of implementation for a couple hundred or thousands of dollars now will help prevent the potential millions that it could take to respond and remediate if ransomware has ripped through an enterprise.

For more information, please see: https://www.bleepingcomputer.com/news/security/critical-bug-actively-used-to-deploy-cobalt-strike-on-oracle-servers/