Hackers are Attempting To Exploit HTTP Transports Through Oracle WebLogic

Last night and on through this morning my site has started coming under heavy attack from all over the world, though mostly out of the Asia Pacific region. More specifically, from Ukraine, Germany, Vietnam, Brisbane and China. What I uncovered was a new hacking technique that I had never come across before, attempting to exploit http transports of cloud data services which hackers had falsely expected to be connected to my WordPress account. While the incident can be thought of more as a “probe” than an outright “hack,” it did reveal a lot about the strategy they had hoped to employ.

Auditing my firewall logs, it appears as though hackers were first attempting to run “XSS Attacks” against my php file setup, hoping I had made/built custom edits to it through the phpMyAdmin (pma) shell at some point or another in the past. When that didn’t work, hackers then started probing my site to find out whether or not I had tied to Oracle WebLogic. For example, hackers repeatedly kept running a string of probes that looked something like this:

No photo description available.

While I did not include them here, there were over 40 more additional logs just like this made over the course of a 12-14 hour time span, from multiple locations. Upon further investigation, it appears as though hackers were attempting to do two things; first was to launch a ClientSide “Denial of Service” (DoS) attack against my website and second, they attempted to gain administrative privileges through RCE privilege escalation flaws in 3rd party add-on’s/services tied to my account – such as Oracle WebLogic. What the hackers did not anticipate however is that I run my website through WordPress.com, not WordPress.org, which does not support Oracle‘s services. This is because WordPress.org accounts require owners to set up and host their DNS through an independent web server, such as Oracle – which just so happens to be one one of the Internets largest companies.

Researching the mechanics behind how Oracle WebLogic works and transports data across the internet, while Oracles servers are protected from within and an account holders information is “encrypted”  behind their logins, once logged in however, as their data is transferred between Oracle cloud server and their WordPress website it is transported via http transports – which as unencrypted.  As such, attempting to exploit this unsecured connection between the two parties, hackers are attempting to get in the middle of the data exchange by injecting malicious JavaScript into the framework of Oracle WebLogic – also built on JavaScript – in order to gain administrator level access to the end website. Once the connection is compromised, once inside, hackers can edit, upload and install virtual machines to run within the framework of the existing programs – theoretically intercepting any future data exchanged between the two parties whilst also gaining access to all previously stored information.

Image may contain: text

 

While I do not own a WordPress.org account personally, this is something to watch out for. It is also a good idea to write a rule or install a plugin forcing all network traffic through https. You should also block/ban bad query strings and enforce HSTS security headers for each of your pages sites or article. TLS is also a must in 2018. As of 10/17/2018 this information has been reported to both WordPress and Oracle respectively.

 

Do NOT follow this link or you will be banned from the site!
%d bloggers like this: