June 4, 2024 at 08:39AM
CISA added an old Oracle WebLogic vulnerability, CVE-2017-3506, to its list of known exploited vulnerabilities. Chinese hackers have been using it to deploy cryptocurrency miners. Trend Micro reported that a China-based threat group, Water Sigbin, continues to exploit this vulnerability and another recent one. Their advanced techniques make detection and prevention challenging. CISA urged government organizations to address the flaw by June 24.
Key takeaways from the meeting notes:
1. The US cybersecurity agency CISA recently added the old Oracle WebLogic flaw CVE-2017-3506 to its Known Exploited Vulnerabilities (KEV) catalog after Chinese hackers were seen exploiting it to deploy cryptocurrency miners.
2. The vulnerability affects Oracle WebLogic Server, allowing unauthenticated attackers to access or modify critical data and enabling arbitrary OS command execution through specially crafted HTTP requests.
3. The issue was initially addressed by Oracle in 2017, but signs of potential exploitation in the wild emerged in 2018 during attacks carried out by a financially motivated threat group attempting to obtain payment card data from US cities.
4. Trend Micro reported that a threat group named Water Sigbin, described as a China-based threat actor, continues to exploit CVE-2017-3506 as well as a more recent Oracle WebLogic Server flaw tracked as CVE-2023-21839. The group deploys cryptocurrency miners using sophisticated obfuscation techniques, making detection and prevention more challenging for security teams.
5. CISA has instructed government organizations to address the CVE-2017-3506 flaw by June 24 following the publication of Trend Micro’s report on Water Sigbin.
6. Overall, these developments highlight the adaptability of modern threat actors and the increasing sophistication of their techniques, emphasizing the importance of proactive cybersecurity measures.