On the 15th this month, K.Orange twittered a message, saying that unpatched WebLogic has a vulnerability that could be employed by attackers using a “watch-smartd” program.
Recently NSFOCUS received requests from customers in many industries (finance, telecom carriers, the Internet companies and so on) asking for emergence response service as they found the “watch-smartd” program under the directory /tmp/ of their WebLogic server was exhausting their CPU. Besides the “watch-smartd” program, its earlier version Carbon was also in a part of it. This miner virus had no functions to retain its process and resume, but it would come back again at any time after cleared.
The addresses connected to the “watch-smartd” were “minergate.com” and “pool.minexmr.com”.
After monitoring and analysis to victim systems, it is certain that attackers were using WebLogic wls-wsat to download and run the mining program remotely.
Attackers downloaded a shell script named “setup-watch”, which was used to download and run the “watch-smartd” program.
We haven’t seen any information about this attack codes in public vulnerability databases right now, so we believe that it employed some codes not exposed in public but known underground. By checking the patches, we found that the attack preyed on WebLogic applications that hadn’t been patched in October. That is, hosts with the latest updates are out of the attack.
In default configurations, attack codes were executed leaving no logs and traces in systems. That’s why attackers could download and run the miner program repeatedly.
Temporary Protection Solutions
1. Find the path of WebLogic program and delete .war files and directories they belong to.
|rm -f /home/WebLogic/Oracle/Middleware/wlserver_10.3/server/lib/wls-wsat.war
rm -f /home/WebLogic/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/.internal/wls-wsat.war
rm -rf /home/WebLogic/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/wls-wsat
2. Restart WebLogic or the system, and check if error 404 appears when clicking the following link.
3. If it keeps happening, contact NSFOCUS for emergency response solution.
4. For more information, contact NSFOCUS Security Response team.