Cryptojacked PeopleSoft Instances
Cryptojack, a recently coined verb that is not in the dictionaries yet but may soon find its place!
The word Cryptojack has been derived from the word hijack, which as per dictionary means:
- to force someone to give you control of a vehicle, aircraft, or ship that is in the middle of a trip.
- Someone who hijacks someone else’s ideas or plans uses those ideas and claims to have created them.
Several real life incidents and pure fiction in movies come to mind when the word hijack is referred to. Speed, Flight 93, The Taking of Phelam 123, Olympus has fallen, … the list goes on. My favorite is the Die Hard series.
But forget about the movies. This is not what it is about. Lets get back to Cryptojacking!
What is Cryptojacking?
Cryptojacking is defined as the secret use of your computing device (computer or mobile device) to mine cryptocurrency. It is basically stealing the computing power of devices without seeking prior permission from the owner of the device.
Typically hackers are associated with stealing data, which they sell in the realms of the dark web. But this new security threat, cryptojacking is not about stealing data but about stealing your computer’s resources (computing power) along with free use of electricity power.
Why Steal Computing Power?
Before getting into details, let’s consider the reasons behind it. Why are hackers after your system resources?
Security experts have seen a spike in cyberattacks this year that are aimed at stealing computer power for mining operations. Mining is a computationally intensive process that computers comprising a cryptocurrency network complete to verify the transaction record, called the blockchain, and receive digital coins in return.
What is Cryptojacking of PeopleSoft Instances
There have been several reported incidents of PeopleSoft instances getting cryptojacked because of a known vulnerability (CVE 2017-10271), which is present in Oracle WebLogic Web Services component (wls-wsat). Oracle Weblogic supported versions impacted by this cryptojacking are 10.3.6.0.0, 184.108.40.206.0, 220.127.116.11.0 and 18.104.22.168.0.
Cryptojacking of PeopleSoft instances is the act in which hackers gain access to the servers from which your Oracle Weblogic domains are running. Oracle released a patch for this vulnerability in October 2017 but multiple hackers are still exploiting this Weblogic vulnerability to secretly mine thousands of dollars worth of cryptocurrency because most of the Weblogic and PeopleSoft servers have not been patched yet. The cryptocurrency being mined by the so called process of cryptojacking primary includes Monero. There have been reports of other currencies too like AEON.
Gaining access to the servers
This Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. The exploit downloads a bash file (with an unsuspecting filename like startweblogic) that chooses a suitable working directory (usually the Weblogic home), gets system/root privileges, downloads and starts running the mining software. In some cases, this script intentionally kills the Weblogic service on the target while in some other cases, it just keeps running the mining software in the background causing a noticeable CPU spike, which could be unsuspecting especially for underutilized servers.
Interestingly enough the antivirus, anti-malware software installed on the server fails to block this miner for example – xmrig, which isn’t a form of malware, but is a legitimate miner for Monero.
How to Prevent Cryptojacking of PeopleSoft Instances
In case of PeopleSoft HRMS, this cryptojacking has the potential to become an issue of epic proportions because of involvement of sensitive data. Hence, the need to be alert and act fast.
Depending on whether you’ve already been crytojacked or not — there are a few things you can do. Here are a few suggestions. Note that each of them may not work or be applicable in your case.
- Have the network firewall team review review outgoing connections from your servers hosting Weblogic software. Block any unwanted ports and outgoing connections.
- Review the processes running in your server and look for suspicious processes. Many of these processes or executables have funny or distinct names like sourpear.exe, y.exe etc. You can try killing these as an immediate remedial action but these are usually scheduled via cron or scheduled task — they’ll show up soon.
- If enabled or collecting data, do a historic check of CPU usage to identify CPU increase.
- Install the applicable Weblogic patch. Check for latest updates in the Jan 2018 patch release. Most of the affected sites reported resolution of the issue by application of Oct-2017 patch but in some cases, the issue continued to persist. In some cases, the Oct-2017 patch may not even be available for your Weblogic version. You may have to explore the option of going to a higher weblogic version if your issue is unresolved yet and your current PeopleTools release supports multiple Weblogic versions. For example, PeopleTools 8.54 supports 22.214.171.124.0 and 126.96.36.199.0 and going to 188.8.131.52.0 Oct-2017 patch resolves the issue.
- In dire-case scenario, you may need to take the server offline and maybe replace them with new ones.
- Ideally speaking, staying as-much current as possible with the PeopleTools release helps but it is many a times not possible for countless reasons. You may need to plan a PeopleTools upgrade, especially if you’re still in pretty old release.
If you have any suggestions, please let us know and we can include them in the resolution.