By rssfeeds-admin 
In a recent incident investigated by security responders, attackers leveraged this service as an entry point to gain remote access.
By repeatedly attempting logins with various credentials, the attackers eventually succeeded in authenticating with SYSDBA privileges, granting them overarching control over database operations even when the database was closed.
Once inside, the attackers utilized the scheduler’s ability to execute external jobs, specifically running the extjobo.exe process.
This process listens on a Windows named pipe and executes any command input with the service’s privileges, allowing remote command execution with little restriction.
Attackers used this mechanism to pass encoded PowerShell commands, enabling them to run reconnaissance scripts, collect system information, and download payloads from their command-and-control (C2) infrastructure.
Evidence included the creation and deletion of baton files like test3.bat and tfod.cmd, the latter mapped directly to reverse shell code found in public GitHub repositories, allowing for persistent remote access without detection.
Establishing Encrypted Tunnels and Payload Delivery
To mask their movements and retain uninterrupted access, the attackers deployed Ngrok. This tunneling solution sets up secure HTTPS tunnels from the compromised server to remote infrastructure controlled by the actor.
They created configuration files (ngrok.yml) containing authentication tokens needed for this connectivity and ran Ngrok with parameters to expose remote desktop ports over TCP. This allowed interactive sessions, including RDP over port 3389, without alerting perimeter defenses.
During lateral movement, the attackers escalated privileges by creating new local administrator accounts, using infostealer and process manipulation tools such as Process Hacker (renamed PT.exe) to harvest credentials and manipulate active tokens.
The network traffic and scheduled tasks established with SCHTASKS.EXE ensured that ransomware payloads masked under unconventional extensions to evade detection could execute upon system startup, encrypting company data and dropping ransom notes attributed to the ProximaBlackshadow ransomware family.
Finally, cleanup routines deleted evidence, including the malicious executables and registry alterations intended to disrupt Ngrok’s operation upon incident closure.
This attack flow highlights the critical risk posed by exposed Oracle DBS Job Scheduler services, particularly when combined with weak privilege separation and insufficient monitoring of seemingly legitimate scheduled activities.
Defenders should prioritize network segmentation, enforce strict job execution policies, and monitor for suspicious scheduler activity, particularly encoded PowerShell usage and unexpected external job executions, to counter these advanced tactics.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Attackers Using Oracle Database Scheduler to Infiltrate Companies appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.