A new Linux malware called ”Hadooken” has been found by Aqua Nautilus researchers, and it exploits security vulnerabilities in Oracle WebLogic servers. Oracle WebLogic is an integral part of Oracle’s Fusion Middleware, which is used to deploy enterprise applications based on the Java EE and Jakarta EE standards. The problem is that cybercriminals now target it.
The Hadooken malware sneaks into Oracle WebLogic servers by exploiting security misconfigurations such as weak admin passwords, like finding an easy way through a poorly locked door. Once inside, it sets up two harmful programs: a cryptominer and Tsunami malware. The cryptominer is particularly clever, hiding in folders like /tmp and using random file names to stay out of sight. It is like a thief hiding stolen goods in random places around your house, hoping you won’tnotice. While it is hidden, it quietly mines cryptocurrency, draining the server’s resources without anyone realizing it.
This stealth approach allows the malware to operate undetected for an extended period of time, making it particularly dangerous. By the time it is identified, it already causes significant damage, taking up processing power and potentially spreading to other systems. The attacks do not stop at a single server, and the malware seeks ways to spread laterally across the network, resulting in a more severe threat that is difficult to contain.
Hadooken stays active by creating cron jobs in the server’s /etc/cron.<period> folder. These cron jobs run harmful commands simultaneously, letting the malware keep working even after the server is restarted. It is like leaving your door unlocked. Someone sneaks in, installs a device to mine cryptocurrency, and returns regularly to make sure it is still running without you noticing.
Hadooken doesn’t just stay put; it also looks for SSH keys on the hacked server to spread to other connected systems. Researchers have found that the IP addresses involved in the attack are linked to ransomware, suggesting this is part of a bigger, multi-platform threat.
The clock is ticking. Businesses need to take immediate action to protect themselves from this new malware threat, as over 230,000 susceptible WebLogic servers are exposed online. To guard against these attacks, they should focus on securing their cloud and container setups, keeping a close watch on their running systems, and fixing any setup problems before launching their services.
