Aqua Security Nautilus researchers uncovered the Hadooken malware, which primarily targets Oracle WebLogic servers. Hadooken has been implicated in multiple ransomware attacks and deploys cryptominers after compromising systems. The attackers gained initial access through weak passwords, achieving remote code execution, and utilized scripts for lateral movement within affected networks. Despite no active use of its Tsunami malware component observed, the presence of both the cryptominer and Tsunami indicates a significant threat. The attack has broader implications given that a substantial number of WebLogic servers are connected to the internet, and although many are protected, some exposed administration consoles are at risk.
Source: https://securityaffairs.com/168364/malware/hadooken-targets-oracle-weblogic-servers.html
TPRM report: https://scoringcyber.rankiteo.com/company/aquasecteam
"id": "aqu000092024",
"linkid": "aquasecteam",
"type": "Ransomware",
"date": "9/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': 'Various',
'location': 'Global',
'name': 'Oracle WebLogic Server Users',
'type': 'Organization'}],
'attack_vector': 'Weak Passwords, Remote Code Execution',
'description': 'Aqua Security Nautilus researchers uncovered the Hadooken '
'malware, which primarily targets Oracle WebLogic servers. '
'Hadooken has been implicated in multiple ransomware attacks '
'and deploys cryptominers after compromising systems. The '
'attackers gained initial access through weak passwords, '
'achieving remote code execution, and utilized scripts for '
'lateral movement within affected networks. Despite no active '
'use of its Tsunami malware component observed, the presence '
'of both the cryptominer and Tsunami indicates a significant '
'threat. The attack has broader implications given that a '
'substantial number of WebLogic servers are connected to the '
'internet, and although many are protected, some exposed '
'administration consoles are at risk.',
'impact': {'systems_affected': 'Oracle WebLogic servers'},
'initial_access_broker': {'entry_point': 'Weak passwords'},
'motivation': ['Ransomware', 'Cryptomining'],
'post_incident_analysis': {'root_causes': 'Weak passwords'},
'references': [{'source': 'Aqua Security Nautilus researchers'}],
'title': 'Hadooken Malware Attack on Oracle WebLogic Servers',
'type': 'Malware',
'vulnerability_exploited': 'Weak passwords'}