Quote:A recently-disclosed critical vulnerability in Oracle WebLogic is being actively exploited in a slew of attacks, which are distributing a never-before-seen ransomware variant.
 
The recently-patched flaw exists in Oracle’s WebLogic server, used for building and deploying enterprise applications. The deserialization vulnerability (CVE-2019-2725​) is being exploited to spread what researchers with Cisco Talos in a Tuesday analysis dubbed the “Sodinokibi” ransomware.
 
“This is the first time we have seen this ransomware being used in the wild,” Jaeson Schultz, technical leader, at Cisco Talos, told Threatpost. “This new ransomware first emerged on April 26. Part of what makes this ransomware stick out is the fact that attackers were using a 0-day vulnerability to install it. Talos is continuing to analyze the ransomware itself. It’s obfuscated and there are several anti-analysis tricks.”

The critical flaw, which has a CVSS score of 9.8, is a remote code execution bug that is remotely exploitable without authentication. Impacted are versions 10.3.6.0.0 and 12.1.3.0.0 of the product. The flaw was patched on April 26 – but researchers said that attackers have been exploiting the flaw since April 21.