A recently disclosed vulnerability in Oracle WebLogic server that we reported earlier today is being actively exploited to install a new variant of ransomware called “Sodinokibi.” This ransomware attempts to encrypt data in a user’s directory and deletes shadow copy backups to make data recovery more difficult.
The vendor has released a patch for this vulnerability. It’s an easily exploitable flaw as anyone with HTTP access to the WebLogic server could carry out an attack. When the ransomware successfully infected a machine, it left the following ransom note, attached as a sample:
Indicators of Compromise are given below. The Attacker’s IP address was reported by Cisco’s Talos Blog as follows:
This IP has previously been reported multiple times, as seen on https://www.abuseipdb.com/check/220.127.116.11.
Indicators of Compromise
IP(s) / Hostname(s)
Malware Hash (MD5/SHA1/SH256)
Oracle WebLogic Server