Conclusion

Campaigns aimed at mining cryptocurrency and targeting Oracle WebLogic are clearly on the rise, and F5 researchers anticipate this trend to continue. This has been fueled partly by the zero-day vulnerability (CVE-2019-2725)found in April 2019. Oracle WebLogic is used widely by large corporations, and the servers are resource-intensive. This attracts threat actors looking to exploit the processing power of these servers to mine cryptocurrency.

Deserialization vulnerabilities have existed since the inception of serialization. Unsafe deserialization stems from improper input validation. Therefore, it is important for application developers to consider (and secure) the different channels through which an input to a deserialization function can be received. It’s also important to have a team that monitors the health of critical systems. Most cryptominers try to exploit the CPU power to the maximum. A stealthy threat actor might try to harness multiple exploited servers, only using a moderate amount of processing power on each to avoid detection. The level of sophistication used in both cryptomining and deserialization campaigns continues to grow. We can expect to see new techniques developed, especially for these campaigns. They are also likely to bring in more complicated forms of obfuscation previously seen with other malware.

For most organizations, an application firewall serves as the first line of defense for their applications. A well-monitored, configured, and updated web application firewall (WAF) should also be able to stop these threat actors from exploiting vulnerable systems within a network.

F5 security researchers continuously monitor new web application exploits to deliver the latest threat intelligence to our customers, as well as the broader IT security community. Join us in continuing the conversation on social media. You can reach us on Twitter @f5labs, or email us at F5LabsTeam@f5.com.