WebLogic Cryptocurrency Mining

When people who produce in virtual currency mining wanted to do this in computer environment, a search emerged and they tried it on Weblogic.

Weblogic does not have any defense on crypto mining due to its nature, and without such a defense, attackers can perform many operations inside by running arbitrary commands on Weblogic servers that they can access.

The vulnerability published with the code (CVE 2017-10271) is run on the command line called weblogic’s “wls-wstat” and allows the attacker to run the relevant application for mining after installing it.

If a service called “Monero” is running on your system and your processor is peaking, it means that you are involved in this business.

The attacker uses the Dropper script that controls Web services by accessing the URL <HOST> / wls-wsat / CoordinatorPortType and downloads the mining application to the server where Weblogic is installed, ending the Weblogic service.

Below are two pictures for the seized machine.

Addresses trying to reach;

So what can we do at this stage?

First of all, we need to keep our application server up to date and review the following controls. (You can install the necessary patches with your Support account.)

Change the default management port numbers. Use 7001 and 7002 in Weblogic standard installation.

Do not choose the “weblogic” user as the default administrator user for WebLogic Domain. Use a different user and turn this off.

Perform the user name and password process that is asked at service startups with the “boot.properties” file.

Enable the “Administration Port” feature for WebLogic.

Always use “Custom Hostname Verifier”.

Set the value for “Max Post Size”. This setting is the default setting no limit.

And finally, open “Administration auditing” for the WebLogic domain and periodically check the logs.