Special Features

Malware Month

7-year-old Oracle WebLogic bug under active exploitation

Experts say Big Red will probably re-release patch in an upcoming cycle


A seven-year-old Oracle vulnerability is the latest to be added to CISA's Known Exploited Vulnerability (KEV) catalog, meaning the security agency considers it a significant threat to federal government.

CVE-2017-3506 affects Oracle's WebLogic Server, allowing for remote command execution on affected operating systems. Carrying a 7.4 severity, patches were originally released for it in April 2017, but recent research suggests it's now being exploited by financially motivated Chinese cybercriminals.

According to security shop Trend Micro's recent work, the group it tracks as Water Sigbin (also known as 8220 Gang) is weaponizing CVE-2017-3506 alongside a second, more recent Oracle WebLogic vuln (CVE-2023-21839) to deploy cryptocurrency miners on targeted hosts.

"Water Sigbin's activities involving the exploitation of CVE-2017-3506 and CVE-2023-21839 underscore the adaptability of modern threat actors," wrote Sunil Bharti, senior threat researcher at Trend Micro.

"The use of sophisticated obfuscation techniques such as hexadecimal encoding of URLs, complex encoding within PowerShell and batch scripts, use of environment variables, and layered obfuscation to conceal malicious code within seemingly benign scripts demonstrates that Water Sigbin is a threat actor that can capably hide its tracks, making detection and prevention more challenging for security teams."

Trellix (formerly FireEye and McAfee Enterprise) previously assessed that CVE-2017-3506 was also used alongside three other WebLogic bugs to break into Superion's Click2Gov's servers back in 2017.

Attackers were thought to have combined vulnerabilities into an exploit chain to ultimately steal payment card information from county governments across the US. It was the earliest sign of attackers abusing CVE-2017-3506 and it's clearly still attractive enough to attackers to prompt the US government into action.

Water Sigbin was first spotted in 2017 and has focused much of its efforts since on the cryptojacking and cryptominer games, evolving its tradecraft consistently and regularly throughout that time.

The group is known for targeting Oracle WebLogic flaws, as well as log4j, Atlassian Confluence bugs, and misconfigured Docker containers to infect hosts with whatever malware it feels like using. Sometimes it's a cryptominer like XMRig, other times it's a DDoS botnet like Tsunami – it changes often.

In some cases, though, its tradecraft remains the same. Trend Micro looked into the group in May 2023 after it was observed exploiting CVE-2017-3506 in separate, earlier attacks. It said that despite some researchers branding the group "script kiddies," in Trend's view it's a "threat to be reckoned with."

As for why the necessary patches haven't been applied after so many years, Iain Saunderson, CTO at Spinnaker Support, told El Reg: "Customers don't apply because either it's too much work or the patch is not available for the version they are running, due to Oracle desupport."

Saunderson went to on say Oracle is known for re-releasing CVE patches if it deems them necessary.

"The CVE was only released once but apparently, seven years later, it was found to not have fixed the issue," he said. "I suspect Oracle will release a special patch or patch it in either July or October during their next patching cycle." ®

Send us news
6 Comments

Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility

But can you really take crims at their word?

Deloitte says cyberattack on Rhode Island benefits portal carries 'major security threat'

Personal and financial data probably stolen

Are your Prometheus servers and exporters secure? Probably not

Plus: Netscaler brute force barrage; BeyondTrust API key stolen; and more

Lights out for 18 more DDoS booters in pre-Christmas Operation PowerOFF push

Holiday cheer comes in the form of three arrests and 27 shuttered domains

Fully patched Cleo products under renewed 'zero-day-ish' mass attack

Thousands of servers targeted while customers wait for patches

What do ransomware and Jesus have in common? A birth month and an unwillingness to die

35 years since AIDS first borked a PC and we're still no closer to a solution

Suspected LockBit dev, facing US extradition, 'did it for the money'

Dual Russian-Israeli national arrested in August

London's Met Police seeks business services, ERP refresh in £370M deal

Contract could be worth a cool £1 billion if associated organizations join

How Androxgh0st rose from Mozi's ashes to become 'most prevalent malware'

Botnet's operators 'driven by similar interests as that of the Chinese state'

UK ICO not happy with Google's plans to allow device fingerprinting

Also, Ascension notifies 5.6M victims, Krispy Kreme bandits come forward, LockBit 4.0 released, and more

Infosec experts divided on AI's potential to assist red teams

Yes, LLMs can do the heavy lifting. But good luck getting one to give evidence

Don't fall for a mail asking for rapid Docusign action – it may be an Azure account hijack phish

Recent campaign targeted 20,000 folk across UK and Europe with this tactic, Unit 42 warns