Oracle Database Scheduler exploited in ransomware attack

GBHackers News reports that organizations' networks are being infiltrated in covert ransomware intrusions involving the abuse of Oracle Database Scheduler's External Jobs functionality, which could result in privilege escalation, encoded PowerShell command execution, and encrypted tunneling.

Threat actors behind one such intrusion had posed as the SYS user to compromise an exposed Oracle Database, with elevated privileges then tapped to invoke External Jobs and execute a system data-exfiltrating PowerShell script, an analysis from Yarix's Incident Response Team revealed.

After enabling remote command execution via WSMan and retrieving more payloads, attackers launched Ngrok for remote desktop protocol traffic tunneling, with such a tunnel used to connect a newly crafted local account with elevated privileges.

Further privilege escalation, Process Hacker abuse, potential token alteration, and network logon as an admin user eventually allowed the execution of ransomware, with all tools and payloads later removed to conceal illicit activity.

Such a threat should prompt entities leveraging Oracle Database Scheduler to adopt more stringent access controls and other security measures, researchers said.