Security Weekly 32: Oracle Products Become Victims Of a Recently Published Exploit, A New Exploit by RubyMiner, Google Play Has Removed More Than 60 Malicious Applications
Popular Oracle products fell victim to the recently published exploit, which allows remote execution of arbitrary code, although, to the surprise of experts, nothing worse than the unauthorized extraction of cryptocurrency has not happened to them. The attackers exploited the vulnerability in WebLogic application servers patched by Oracle back in October.
To use the exploit, publicly described a little more than a month ago, no special skills are required.
- Not surprisingly, the malicious campaign quickly gained momentum. Not only WebLogic servers themselves were distributed, but also other Oracle solutions that use them. Including PeopleSoft – ERP-system for managing complex administrative infrastructure and financial flows of a large enterprise (often organizations store all their data in this system, confidential and not very).
It would seem that you can not think up any more attractive targets: companies that are large enough to use expensive Oracle products, and carefree enough not to install updates available in the fall – steal insider secrets, blackmail, wait for a reply tone! Oh, at least it was possible to expect a scandal with data leakage. But no, the criminals decided that they do not have the mood to sell information on the black market, and the head hurts, but it’s much more profitable to drop the crypto-currency at current prices.
Anyway, while the attackers managed to mow at least 611 Monero tokens – about 226 thousand dollars: so much is stored in the purse, which was able to come out when analyzing the configuration file XMRig, caught the researchers. How many of all these purses, science, as usual, is not known.
A New Malware Exploit by RubyMiner
As we often have to remind, a lot of malware use exploits for already closed vulnerabilities. The calculation is obvious: not everyone will know about updates, not all of them will be installed immediately, which means that attackers will have time to profit if they act quickly.
- But the criminals behind the new RubyMiner are not in a hurry at all. They are aiming for non-renewable systems for several years – both Windows and Linux – and they use the arsenal of old, well-known and long-passed vulnerabilities for Monero’s mining with the help of the so-called RubyMiner.
After analyzing the malware for the Linux server, the researchers reported that it removes all cron jobs and assigns its own task, which once an hour downloads a script from the Internet, hidden in robots.txt files on different domains. And already this script, in turn, loads the good old XMRig.
Of course, most machines older than ten years cannot compete with the performance of modern machines, and so the mines are not particularly successful, but there is almost no or no attention at all – it is more likely that unauthorized prospectors will remain undetected for longer. As shown by the study of one wallet, hackers have already drunk at least $ 540. It seems to be a bit, but almost no costs: the domain from which the malicious script is loaded has already been used in at least one attack in 2013, and with the same exploit through which RubyMiner is distributed.
Google Play Has Removed More Than 60 Malicious Applications
In December, more than 60 malicious applications were removed from the Google Play store, mostly games that leaked through multiple checks.
The developers were banned, and the users who downloaded them continue to show warnings about the potential danger. The wiped out applications used the usual set of tactics – they threw out a warning about the virus on the whole screen, then offered to download the “antivirus” (of course, a fake one), offered users to participate in lotteries, signed them for paid services … In general, an ordinary gentleman’s set. The case as a whole would be quite ordinary, if not for one “but”.
- Specifically, this bundle of garbage is distinguished by the fact that, firstly, many programs were uniquely designed for preschool children: names from cartoons, puppies and other attributes of tender age. And secondly, applications sometimes started showing children hardcore porn – and on top of all other screens and without warning.
And here the question arises even not about the moral level (with it and so everything is clear), but about the adequacy of intruders. The fact is that the choice of which methods to draw money or information from a user was made after the downloading of the malware. The application has a built-in malicious component, nicknamed the AdultSwine researchers. “Pig” was registered on the development server, sent data about the user and waited for instructions, what exactly to seduce or intimidate the new victim.
- The decision to show the content of 18+ to four-year-olds reveals a clear misunderstanding by the attackers of the target audience: it is unlikely that the kids will click on a porn banner, they will rather get scared and call adults. Although, perhaps, it is a banal error in the profiling algorithms.
Be that as it may, representatives of Google stressed that starting from the end of January new protective functions are introduced in Google Play, which will warn about suspicious applications, but users need not remain vigilant.
