New Linux Malware "Hadooken" Targets Oracle WebLogic Servers
Aqua Nautilus researchers have identified a new malware targeting Oracle WebLogic servers. The malware, named Hadooken, is suspected to reference the “surge fist” attack from the Street Fighter series. When executed, it drops the Tsunami malware and deploys a cryptominer, posing a severe threat to enterprise systems. In this post, we’ll break down the malware, its attack components, and detection methods.
What is Oracle WebLogic Server?
Oracle WebLogic Server is a Java EE application server designed for large-scale, distributed systems. It’s commonly used in industries like banking, e-commerce, and business-critical environments due to its scalability and robust support for Java technologies. However, its vulnerabilities make it a frequent target for cyberattacks.
Common vulnerabilities include:
- Deserialization flaws
- Improper access controls
- Misconfigurations like weak credentials or exposed admin consoles
If left unpatched, these weaknesses can lead to remote code execution (RCE), privilege escalation, and severe data breaches.
Attack Flow
In the case of Hadooken, the attackers exploited a weak password in Aqua’s WebLogic honeypots to gain access, ultimately leading to remote code execution. Once inside, they deployed several malicious components, including the cryptomining Tsunami malware.
Mapping to the MITRE ATT&CK Framework
The attack used several well-known tactics and techniques from the MITRE ATT&CK framework:
- Initial Access: Exploit Public-Facing Application (CVE vulnerabilities and weak credentials)
- Execution: Command and Scripting Interpreter (Unix Shell, Python, PowerShell scripts)
- Persistence: Create or Modify System Process (Cron jobs for periodic malicious execution)
- Defense Evasion: Obfuscated Files (Base64 encoding), Masquerading (using names like -java, -bash)
- Lateral Movement: SSH Hijacking (iterating over SSH keys)
- Impact: Resource Hijacking (cryptominer), and potential ransomware attacks in future iterations
Detection and Mitigation Strategies
Aqua’s honeypot environment helped expose the Hadooken malware. Their proactive approach offers insights into how security teams can detect and prevent such attacks.
Key Tools and Best Practices:
Infrastructure as Code (IaC) Scanning Tools
Tools like Aqua Trivy scan IaC templates for misconfigurations before deployment, preventing vulnerabilities early in the process.Cloud Security Posture Management (CSPM)
CSPM tools monitor cloud services (AWS, GCP, Azure) for potential misconfigurations and compliance issues, minimizing security risks.Kubernetes Security
Tools like Kube-Bench and Aqua Trivy ensure Kubernetes clusters comply with security best practices, checking for vulnerabilities and misconfigurations.Container Security
Aqua Trivy scans container images for vulnerabilities and hidden malware. This layer of security prevents compromised containers from infiltrating the system.Runtime Security
Aqua Tracee monitors cloud-native environments for suspicious behavior in real time. In the case of Hadooken, Aqua’s platform detected 16 malicious incidents.
Conclusion
Hadooken exemplifies the increasing sophistication of malware targeting enterprise-level systems like Oracle WebLogic. By exploiting weak credentials and deploying malware components like Tsunami, attackers can compromise entire networks, resulting in financial and operational losses. Leveraging proactive security tools, such as those offered by Aqua, can help detect and mitigate these threats before they cause serious damage.
Stay vigilant and secure your infrastructure.
Click below and ‘share’ this article!