The US cybersecurity agency CISA on Monday added an old Oracle WebLogic flaw to its Known Exploited Vulnerabilities (KEV) catalog after it was seen being exploited by Chinese hackers to deploy cryptocurrency miners.
The vulnerability, tracked as CVE-2017-3506, affects Oracle WebLogic Server and allows an unauthenticated attacker to access or modify critical data, enabling arbitrary OS command execution. Attackers can achieve remote code execution via specially crafted HTTP requests.
The issue was addressed by Oracle in 2017. The first signs of potential exploitation in the wild emerged in 2018, during the analysis of attacks carried out by a financially motivated threat group that was attempting to obtain payment card data from US cities that had been relying on Click2Gov software for utility bill payments.
FireEye said at the time that CVE-2017-3506 was one of the three Oracle WebLogic vulnerabilities that may have been exploited in the initial phase of the attack.
In May 2023, Trend Micro reported that a threat group named 8220 Gang (aka 8220 Mining Group) had been exploiting this and other vulnerabilities to deploy cryptocurrency miners on Windows and Linux systems.
On May 30, 2024, Trend Micro published an update on the 8220 Gang’s activities, which the company now tracks as Water Sigbin. The cybersecurity firm said the group, which has been described as a China-based threat actor, continues to exploit CVE-2017-3506, as well as a more recent Oracle WebLogic Server flaw tracked as CVE-2023-21839.
The cybercriminals continue to deploy cryptocurrency miners, but their techniques have evolved, making it more difficult to detect their activities and defend against their attacks, Trend micro said.
“The Water Sigbin’s activities involving the exploitation of CVE-2017-3506 and CVE-2023-21839 underscore the adaptability of modern threat actors,” the security firm noted.
“The use of sophisticated obfuscation techniques such as hexadecimal encoding of URLs, complex encoding within PowerShell and batch scripts, use of environment variables, and layered obfuscation to conceal malicious code within seemingly benign scripts demonstrates that Water Sigbin is a threat actor that can capably hide its tracks, making detection and prevention more challenging for security teams,” it added.
CISA added CVE-2017-3506 to its KEV catalog just days after Trend Micro published its report on Water Sigbin. The agency has instructed government organizations to address the flaw by June 24.
Related: CISA Warns of Exploited Vulnerabilities in EOL D-Link Products
Related: CISA Announces CVE Enrichment Project ‘Vulnrichment’
Related: CISA Warns of Windows Print Spooler Flaw After Microsoft Sees Russian Exploitation
Related: CISA: Second SharePoint Flaw Disclosed at Pwn2Own Exploited in Attacks
