Hackers are Attempting To Exploit HTTP Transports Through Oracle WebLogic

Last night and on through this morning, my site has started coming under heavy attack from all over the world – but mostly out of the Asia Pacific region. More specifically, from Ukraine, Germany, Vietnam, Brisbane and China. What I uncovered was a new hacking technique I had never come across before, attempting to exploit http transports of cloud data services which hackers expected to be connected to my WordPress account. While the incident can be thought of more as a “probe” than an outright “hack,” it did reveal a lot about the strategy they had hoped to employ.

Auditing my firewall logs, it appears as though hackers were first attempting to run XSS attacks against my php file setup, hoping I had made/built custom edits to it through phpMyAdmin (pma) shell at some point or another in the past. When that didn’t work, hackers started probing my site to find out whether or not my account was tied to Oracle WebLogic. For example, hackers repeatedly kept running a string of probes that looked something like this:

No automatic alt text available.

There were over 40 more additional logs just like this made over the course of a 12-14 hour time span, from multiple IP’s. Upon investigation, hackers were attempting to do two things; launch a ClientSide denial of service attacks against my website and/or gain administrative privileges to it by hacking/exploiting 3rd party add-on’s/services tied to my WordPress account. What the hackers did not anticipate however is that I run my website through WordPress.com – not WordPress.org. This is important to understand because Oracle’s services can only be installed through WordPress.org accounts, which require owners to set up and host their own name servers/accounts – often times through Oracle, which just so happens to be one one of the Internets largest companies.

Researching the mechanics behind how Oracle WebLogic works and transports data, while Oracles servers are protected from within and an individual account holders information is “encrypted” by their user name and login, once logged in, as the data/content is transferred from the Oracle cloud to WordPress and vice versa, it is exchanged via http transports.  Using this unsecured connection between the two parties, hackers are attempting to get in the middle of the data exchange by injecting malicious JavaScript into the framework of WebLogic, also built on JavaScript, in order to gain administrator access to the end website. Once inside, hackers can edit, upload and install virtual machines to run within the framework of the existing programs – theoretically intercepting any future data exchanged between the two parties while also gaining access to all previously stored information.

While I do not own a WordPress.org account personally, this is something to watch out for. It is also a good idea to write a rule or install a plugin forcing all network traffic through https. You should also block/ban bad query strings and enforce HSTS security headers for each of your pages sites or article. TLS is also a must in 2018. As of 10/17/2018 this information has been reported to both WordPress and Oracle respectively.

Published by

Brian Dunn

Writer, Researcher Owner: Rogue Media Labs | Rogue Security Labs (929)-319-2570 BrianDunn@RogueSecurityLabs.Ltd

Leave a Reply

Your email address will not be published.