Hello and welcome to the Friday, January 19th, 2018 edition of the Sandton Storm Center's Stormcast.

My name is Johannes Ulrich and the I'm recording from Jacksonville, Florida.

On APSIS, a company that deals with the security of enterprise resource planning systems like SAP and Oracle

has taken a closer look at the vulnerability that was exploited to install

these crypto miners. Now, this vulnerability was patched in October and it was a vulnerability

in WebLogic. The issue here is that WebLogic is middleware. So it's really a component of a number of additional

systems and as Onapsus points out, it goes well beyond PeopleSoft. For example, the Oracle

E Business Suite, well, WebLogic is part of it and it could be compromised using this particular

flaw in WebLogic.

Now whenever you have a web application vulnerability like this,

how much you can do with it depends very much on the user

the application is running as.

If this is a low privileged user that doesn't really have access to anything,

then it can be quite limited.

But in this case, actually, WebLogic is running as a privileged user, the application manager,

APPPLMGR.

On AppsS shows how does it can be used to do much more than just install a crypto miner.

For example, they demonstrate how data can be retrieved from the Oracle e-business suite pretty much at well.

So if you find one of these crypto miners running on your system, double check and make sure that there's nothing else going on here.

Yes, the crypto miner is of the big and easy to find exploit for this particular vulnerability, but there

may be more going on in the system that doesn't really stick out as easily. And with all the

fallout about Spectre and Meltdown, Microsoft had run into a problem where some AMD CPUs

...