8220 Gang Exploits Oracle WebLogic Server Flaw to Proliferate Malware
December 19, 2023
The cybercriminal collective known as the 8220 Gang has been detected exploiting a significant vulnerability (CVE-2020-14883) in Oracle's WebLogic Server to disseminate their malware. This flaw, with a CVSS score of 7.2, is a remote code execution bug that could be leveraged by authenticated attackers to gain control over vulnerable servers.
Imperva, in a report issued last week, stated, "This vulnerability allows remote authenticated attackers to execute code using a gadget chain and is commonly chained with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or the use of leaked, stolen, or weak credentials." The 8220 Gang has a track record of exploiting known security vulnerabilities to propagate cryptojacking malware.
Earlier in May, the group was noticed using another Oracle WebLogic server vulnerability (CVE-2017-3506, CVSS score: 7.4) to integrate devices into a crypto mining botnet. Imperva's recent documentation of the group's attack chains includes the exploitation of CVE-2020-14883 to create specially designed XML files and ultimately execute code that deploys stealer and coin mining malware such as Agent Tesla, rhajk, and nasqa.
According to Daniel Johnston, a security researcher at Imperva, the group seems to be opportunistic in their target selection, with no discernible trend in country or industry. Their campaign targets include sectors such as healthcare, telecommunications, and financial services in countries like the U.S., South Africa, Spain, Columbia, and Mexico. Johnston further added, "The group relies on simple, publicly available exploits to target well-known vulnerabilities and exploit easy targets to achieve their objectives. While considered unsophisticated, they are constantly evolving their tactics and techniques to evade detection."
Latest News
- Critical RCE Vulnerability Found in Perforce Helix Core Server by Microsoft
- Emerging Details on Zero-Click Outlook Remote Code Execution Exploits
- NKAbuse Malware Exploits NKN Blockchain for Stealthy Operations
- Russian APT29 Hackers Exploiting TeamCity Servers Since September: CISA
- Critical Apache Struts Vulnerability Targeted by Hackers Using Public Proof-of-Concept
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.