News: 1726187472

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

'Hadooken' Linux malware targets Oracle WebLogic servers

(2024/09/13)


An unknown attacker is exploiting weak passwords to break into Oracle WebLogic servers and deploy an emerging Linux malware called Hadooken, according to researchers from cloud security outfit Aqua.

it is unclear if the malware is being deployed in a concerted campaign: Aqua lead data analyst Assaf Morag told The Register that his team "saw a few dozen attacks over the past couple of weeks."

WebLogic is a platform for running applications at enterprise scale, and is often present at financial services providers, e-commerce operations, and other business-critical systems. It is frequently [1]abused as it includes [2]various [3]vulnerabilities .

[4]

Aqua caught the malware in a honeypot WebLogic server. The attack exploited a weak password to gain entry, then remotely executed malicious code. The first payload runs a shell script called "c" and a Python script called "y" – both of which attempted to download Hadooken.

[5]

[6]

Hadooken, likely named after an attack in the Street Fighter videogame series, contains a cryptominer and the Tsunami malware – a DDoS botnet and backdoor that gives attackers full remote control over an infected machine.

Aqua's threat hunters observed they have not seen evidence of Tsunami running, but they speculated it could be used later.

[7]

The malware also creates multiple cronjobs to maintain persistence. The shell script that starts the fun can also steal user credentials and other secrets, which attackers use to move laterally and attack other servers.

[8]Adobe fixed Acrobat bug, neglected to mention whole zero-day exploit thing

[9]AWS 'Bucket Monopoly' attacks could allow complete account takeover

[10]PowerShell? More like PowerHell: Microsoft won't fix flaws in package gallery ripe for supply chain attacks

[11]I stole 20GB of data from Capgemini – and now I'm leaking it, says cyber-crook

Aqua traced the downloaded Hadooken malware back to two IP addresses. One of which is associated with a UK-based hosting company. There is no suggestion the company has a role in any malware campaign.

"TeamTNT and Gang 8220 used this IP in the past but that doesn't say anything about potential attribution," Morag explained.

Aqua also wrote that its researchers’ analysis of the Hadooken binary suggests links to the RHOMBUS and NoEscape ransomware strains.

"Thus we can assume that the threat actors [are] targeting … Windows endpoints to execute a ransomware attack, but also Linux servers to target software often used by big organizations to launch backdoors and cryptominers," Morag [12]wrote in a report about Hadooken published on Thursday. ®

Get our [13]Tech Resources



[1] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=WebLogic&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=

[2] https://www.cve.org/CVERecord?id=CVE-2017-3506

[3] https://www.cve.org/CVERecord?id=CVE-2023-21839

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZuO45X4CIMJCZT2--fnDaAAAAgo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZuO45X4CIMJCZT2--fnDaAAAAgo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZuO45X4CIMJCZT2--fnDaAAAAgo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZuO45X4CIMJCZT2--fnDaAAAAgo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2024/09/12/adobe_acrobat_0day/

[9] https://www.theregister.com/2024/08/07/aws_bucket_monopoly_attacks_could/

[10] https://www.theregister.com/2023/08/16/microsoft_powershell_gallery_flaws/

[11] https://www.theregister.com/2024/09/12/capgemini_breach_data_dump/

[12] https://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/

[13] https://whitepapers.theregister.com/



`Lasu' Releases SAG 0.3 -- Freeware Book Takes Paves For New World Order
by staff writers

...
The central Superhighway site called ``sunsite.unc.edu''
collapsed in the morning before the release. News about the release had
been leaked by a German hacker group, Harmonious Hardware Hackers, who
had cracked into the author's computer earlier in the week. They had
got the release date wrong by one day, and caused dozens of eager fans
to connect to the sunsite computer at the wrong time. ``No computer can
handle that kind of stress,'' explained the mourning sunsite manager,
Erik Troan. ``The spinning disks made the whole computer jump, and
finally it crashed through the floor to the basement.'' Luckily,
repairs were swift and the computer was working again the same evening.
``Thank God we were able to buy enough needles and thread and patch it
together without major problems.'' The site has also installed a new
throttle on the network pipe, allowing at most four clients at the same
time, thus making a new crash less likely. ``The book is now in our
Incoming folder'', says Troan, ``and you're all welcome to come and get it.''
-- Lars Wirzenius <wirzeniu@cs.helsinki.fi>
[comp.os.linux.announce]