Threat actors are actively exploiting a zero-day vulnerability found in Oracle WebLogic (CVE-2019-2725), which allows attackers to easily gain full access to the server using an HTTP connection. Sodinokibi ransomware does not use traditional means of distribution that generally require some sort of user interaction to begin download. It instead uses the Oracle WebLogic vulnerability to cause an affected server to download a copy of the ransomware. Some attacks have followed up with an additional attack on the same target, distributing GandCrab v5.2. The NJCCIC suggests users to patch WebLogic as soon as possible.

Technical Details and Reporting

·         Cisco Talos provides details of this ransomware variant here.

·         Bleeping Computer also provides other IOC’s here.

Sodinokibi picture.png