One of the many ongoing challenges faced by security operations center (SOC) analysts is making sense of (and unfortunately in many cases just ignoring) the thousands of scanning events that troll their public internet-facing servers each day.
Famously, beginning with the Morris Worm and carrying forward to today’s Mirai and Reaper campaigns, threat actors have embraced botnets’ abilities to scan large blocks of attack surface and then opportunistically exploit machines where vulnerabilities exist. Last year’s WannaCry and Zealot campaigns are strong examples of how actors monetized this process via ransomware and miner payloads respectively.
Bots Scanning on TCP port 7001
Recent Oracle WebLogic vulnerabilities CVE-2017-10271 and CVE-2018-2628 are just another chapter in this story, as bots have already been observed attempting weaponize these vulns. Data from Grey Noise Intelligence (GNI) is extremely useful here to identify and establish the scale of this activity, which appears to be primarily targeting TCP port 7001 (i.e., Oracle WebLogic servers).
Here are GNI’s complete lists of all source IP addresses scanning and connecting on TCP port 7001. And with the ready availability of tools such as Shodan and Censys, it stands to reason that more targeted exploitation attempts are likely to occur (if not already happening) in the wild.
JASK ASOC currently tags this activity as “IP Address Scan – External” signals and also provides the ability to more broadly investigate these events via the Zeppelin notebook interface. The query below reveals all destination IP addresses that have been scanned for TCP port 7001. (Cross-correlating these scanning results with successful connections in the ‘flows’ table is recommended to quantify possible exposure).
Exploitation Attempts of Exposed Servers on TCP port 7001
Once a vulnerable machine is identified, actors move on to exploitation. The code block below shows an attempt to exploit an Oracle WebLogic server via CVE-2017-10271.
In the case of this exploit attempt, a miner payload ‘downloader.exe’ was downloaded from the GoDaddy registered down[.]kingminer[.]club hosted on 173.208.202[.]234. (Note: While we were unable to locate a sample available on public sandboxes, a potentially related ‘downloader.exe’ sample from the same delivery domain submitted to reverse.it on April 21, 2018.)
Many of these same source IPs scanning and exploiting port 7001 have also incorporated the more recent Oracle WebLogic CVE-2018-2628 vulnerability. JASK’s Rod Soto demonstrates this remote code execution (RCE) in several proof of concept screenshots below, and exploit.py code is available on github courtesy of brianwrf.
Related activity to this newer vulnerability has also been seen in the wild, the below probes were recently captured by Grey Noise Intelligence (GNI).
JASK expects to see significant exploitation of this vulnerability (similar to the widespread Muhstik exploitation of Drupal vulnerability CVE-2018-7600) in the near future.
Special thanks to Rod Soto (JASK) and Andrew Morris (GNI) for contributing to this research.
JASK is modernizing security operations to reduce organizational risk and improve human efficiency. Through technology consolidation, enhanced AI and machine learning, the JASK Autonomous Security Operations Center (ASOC) platform automates the correlation and analysis of threat alerts, helping SOC analysts focus on high-priority threats, streamline investigations and deliver faster response times.