Top Middle East Cyber Threat- 4 June 2019

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top cybersecurity threat our MSS team has recently come across. So, read on to learn about what you need to look out for:
Oracle Users Warned of New WebLogic Zero-Day Exploit
A new zero-day vulnerability that impacts the Oracle WebLogic server has been discovered and publicly disclosed by the ‘Knownsec 404’ security research team. This deserialization vulnerability in Oracle WebLogic Server (CVE-2019-2725) which allows remote code execution is remotely exploitable without authentication. As a result, it may be exploited over a network without the need for a username and password.
Historically, Oracle WebLogic servers have been targeted widely, especially by criminal groups engaged in crypto-mining operations. A similar WebLogic vulnerability was exploited widely for planting cryptomining malware (CVE-2017-10271).
It has been reported that the new critical vulnerability (CVE-2019-2725) is under active exploit. There is therefore a need for organizations to actively mitigate the impact of this threat as a successful attack could lead to a full compromise of the WebLogic server.
Vulnerability Description:
Oracle WebLogic Server is middleware for deploying and administering web applications. This zero-day flaw affects all WebLogic versions that have the wls9_async_response.war and wls-wsat.war components enabled. This includes the latest version of WebLogic.
The exploitation of these components can trigger the deserialization of malicious code that allows a hacker to take over the targeted system. To do so, an attacker could send a request to a WebLogic Server, which would then reach out to a malicious host to complete the request, opening the WebLogic server to a Remote Code Execution (RCE) attack.
Security experts at F5 Labs have revealed to have already spotted a campaign exploiting the zero-day flaw in WebLogic servers.
Remediation:

• The last critical patch update from Oracle does not include a patch to this zero day. However, Oracle has released an out of band emergency patch for the vulnerability. Kindly contact your web application team that handles Oracle WebLogic servers to check the feasibility of applying this patch. Ensure public facing web servers are patched with latest updates.
• Verify that no unauthorized system modifications have occurred on the Oracle server before applying the patch.
• Harden the perimeter devices to block traffic with signatures relating to WebLogic servers.
• Apply the Principle of Least Privilege to all systems and services.
• Monitor intrusion detection systems for any signs of anomalous activity.

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.