Image Credits - thehackernews
Advertisement
Oracle WebLogic servers have recently become a focal point for cybercriminals exploiting weaknesses in the platform to deploy new malware. Security researchers at Aqua have identified and tracked a new strain of Linux malware named Hadooken, which has been utilized in multiple attacks in recent weeks. This malware is particularly concerning due to its dual functionality: cryptocurrency mining and building a distributed denial of service (DDoS) botnet. Additionally, it provides attackers with complete control over compromised systems.
Oracle WebLogic, a popular Java-based application server used widely across finance, telecommunications, and e-commerce for its robust platform capabilities, is vulnerable due to inherent security flaws. The malware, Hadooken, was discovered through a honeypot set up by Aqua researchers to simulate and observe attacks. They noted that attackers gained access by cracking weak passwords, allowing them to deploy the Hadooken malware, which then facilitated cryptocurrency mining and potentially other malicious activities.
The Hadooken malware has been observed in several dozen attacks, focusing primarily on cryptocurrency mining. However, its capabilities extend to creating a DDoS botnet and, potentially, ransomware functionality, though the latter has not been fully confirmed. The malware’s ability to provide complete control over compromised endpoints makes it a significant threat.
Researchers traced the IP addresses associated with Hadooken to two locations: one linked to a UK-based hosting company registered in Germany, and another based in Russia. Despite these findings, the specific threat actors behind the attack remain unidentified, though historical connections to groups like TeamTNT and Gang 8220 were noted.