Surge in Exploits Targeting Oracle Database Scheduler
In recent weeks, cybersecurity experts have reported a notable uptick in attacks capitalizing on the External Jobs capability of Oracle Database Scheduler to infiltrate corporate infrastructures.
This method exploits the scheduler’s inherent ability to execute arbitrary commands on Windows-based database servers, enabling attackers to circumvent perimeter defenses with relative ease.
Initial breach vectors typically involve scanning publicly exposed Oracle listener ports and utilizing misconfigured credentials or default administrative credentials.
Upon gaining access, adversaries can activate the extjobo.exe component, executing commands with privileges paralleling those of the OracleJobScheduler service.
The ramifications of this exploitation strategy have been considerable. Organizations that implemented network segmentation and isolated their database servers nonetheless faced breaches due to the implicit trust accorded to the database scheduler process.
In a particular incident, threat actors successfully established encrypted tunnels to external Command & Control (C2) servers, created local administrative accounts, and deployed ransomware masquerading as routine database functions.
Event logs document a series of failed login attempts succeeded by a successful SYSDBA connection, suggesting that credential harvesting or brute-force methodologies were employed prior to command execution.
Analysts from Yarix have highlighted that, after securing credentials, adversaries exploited Oracle DBS External Jobs to initiate encoded PowerShell processes. This behavior signifies a transition toward living-off-the-land techniques, thereby minimizing the necessity to drop custom executables to disk.
Rather than relying on additional files, intruders funneled Base64-encoded scripts directly into PowerShell through extjobo.exe, which complicates detection and evades typical endpoint defenses.
In one instance, an attacker executed a command to gather system information preceding the download of a malicious payload. The decoded script is illustrated below:
$cpu = Get-CimInstance -ClassName Win32_Processor
$ram = Get-CimInstance -ClassName Win32_ComputerSystem
Write-Host $cpu.Name, $cpu.NumberOfLogicalProcessors, [math]::Round($ram.TotalPhysicalMemory/1GB,2)
Get-PSDrive -PSProvider FileSystem
Get-WmiObject -Class Win32_OperatingSystem | Select-String 'OS Name'
Get-ItemProperty -Path HKLM:\Server-Tcp -Name PortNumberMechanism of Infection via External Jobs
The External Jobs feature of the Oracle Database Scheduler was originally designed for database administrators to execute operating-system commands for maintenance purposes.
However, cybercriminals have discerned that any user endowed with scheduler privileges can connect to the named pipe utilized by extjobo.exe and inject malicious commands. In the documented attacks, perpetrators initially authenticated as SYSDBA and subsequently executed:
extjobo.exe -noservice -exec C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand JABjAD0AbgBl…This command invocation circumvents script execution policies (-ep Bypass) and injects Base64-encoded payloads directly into system memory.
The scheduler listens on a pipe commonly accessible to the ORACLEDBS service account, facilitating command execution without invoking new processes identifiable by traditional monitoring systems.
Post-initial reconnaissance, attackers employed similar commands to procure secondary payloads from C2 servers, establish reverse shells, and create a local account named Admine to ensure persistence and facilitate lateral movement.
By exploiting legitimate scheduler functionalities, perpetrators avoid generating executable artifacts on disk, relying instead on native Windows tools for reconnaissance, payload management, and tunneling.
Log records indicate that after each execution instance, attackers meticulously purged temporary batch files and erased scheduler tasks, significantly complicating forensic investigations.
This technique highlights the pressing need for stringent access controls regarding scheduler privileges, rigorous monitoring of named-pipe activities, and anomaly detection mechanisms for atypical extjobo.exe invocations within Oracle database environments.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link: Cybersecuritynews.com.
