In a report published on January 7 by SANS Technology Institute, Morphus Labs researcher Renato Marinho revealed what appears to be an ongoing worldwide hacking campaign by multiple attackers against PeopleSoft and WebLogic servers that leverages a Web application server vulnerability patched by Oracle late last year.
These attackers aren’t stealing data from victims, however—at least as far as anyone can tell. Instead, the exploit is being used to mine cryptocurrencies. In one case, according to analysis posted today by SANS Dean of Research Johannes B. Ullrich, the attacker netted at least 611 Monero coins (XMR)—$226,000 dollars’ worth of the cryptocurrency.
The attacks appear to have leveraged a proof-of-concept exploit of the Oracle vulnerability published in December by Chinese security researcher Lian Zhang. Almost immediately after the proof of concept was published, there were reports of it being used to install cryptominers from several different locations—attacks launched from servers (some of them likely compromised servers themselves) hosted by Digital Ocean, GoDaddy, Verizon Business Services, and Athenix.