Threat actors are actively exploiting Oracle WebLogic servers unpatched against CVE-2020-14882 to deploy Cobalt Strike beacons which allow for persistent remote access to compromised devices. 66 percent of all ransomware attacks this quarter involved red-teaming framework, Cisco Talos Incident Response (CTIR) team revealed in a September quarterly report. Attackers are using a chain of base64-encoded Powershell scripts to download and install Cobalt strike payloads on vulnerable Oracle Weblogic servers.
Source: https://www.bleepingcomputer.com/news/security/critical-bug-actively-used-to-deploy-cobalt-strike-on-oracle-servers/