Security
Headlines
HeadlinesLatestCVEs

Headline

8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency

The notorious cryptojacking group tracked as 8220 Gang has been spotted weaponizing a six-year-old security flaw in Oracle WebLogic servers to ensnare vulnerable instances into a botnet and distribute cryptocurrency mining malware. The flaw in question is CVE-2017-3506 (CVSS score: 7.4), which, when successfully exploited, could allow an unauthenticated attacker to execute arbitrary commands

The Hacker News
#vulnerability#web#windows#linux#cisco#apache#git#oracle#botnet#auth#ssh#The Hacker News

Cryptocurrency / Server Security

The notorious cryptojacking group tracked as 8220 Gang has been spotted weaponizing a six-year-old security flaw in Oracle WebLogic servers to ensnare vulnerable instances into a botnet and distribute cryptocurrency mining malware.

The flaw in question is CVE-2017-3506 (CVSS score: 7.4), which, when successfully exploited, could allow an unauthenticated attacker to execute arbitrary commands remotely.

“This allows attackers to gain unauthorized access to sensitive data or compromise the entire system,” Trend Micro researcher Sunil Bharti said in a report published this week.

8220 Gang, first documented by Cisco Talos in late 2018, is so named for its original use of port 8220 for command-and-control (C2) network communications.

“8220 Gang identifies targets via scanning for misconfigured or vulnerable hosts on the public internet,” SentinelOne noted last year. “8220 Gang is known to make use of SSH brute force attacks post-infection for the purposes of lateral movement inside a compromised network.”

Earlier this year, Sydig detailed attacks mounted by the “low-skill” crimeware group between November 2022 and January 2023 that aim to breach vulnerable Oracle WebLogic and Apache web servers and deploy a cryptocurrency miner.

It has also been observed making use of an off-the-shelf malware downloader known as PureCrypter as well as a crypter codenamed ScrubCrypt to conceal the miner payload and evade detection by security software.

In the latest attack chain documented by Trend Micro, the Oracle WebLogic Server vulnerability is leveraged to deliver a PowerShell payload, which is then used to create another obfuscated PowerShell script in memory.

This newly created PowerShell script disables Windows Antimalware Scan Interface (AMSI) detection and launches a Windows binary that subsequently reaches out to a remote server to retrieve a “meticulously obfuscated” payload.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

The intermediate DLL file, for its part, is configured to download a cryptocurrency miner from one of the three C2 servers – 179.43.155[.]202, work.letmaker[.]top, and su-94.letmaker[.]top – using TCP ports 9090, 9091, or 9092.

Trend Micro said recent attacks have also entailed the misuse of a legitimate Linux tool called lwp-download to save arbitrary files on the compromised host.

“lwp-download is a Linux utility present in a number of platforms by default, and 8220 Gang making this a part of any malware routine can affect a number of services even if it were reused more than once,” Bharti said.

“Considering the threat actor’s tendency to reuse tools for different campaigns and abuse legitimate tools as part of the arsenal, organizations’ security teams might be challenged to find other detection and blocking solutions to fend off attacks that abuse this utility.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

8220 Gang Exploits Oracle WebLogic Server Flaws for Cryptocurrency Mining

Security researchers have shed more light on the cryptocurrency mining operation conducted by the 8220 Gang by exploiting known security flaws in the Oracle WebLogic Server. "The threat actor employs fileless execution techniques, using DLL reflective and process injection, allowing the malware code to run solely in memory and avoid disk-based detection mechanisms," Trend Micro researchers Ahmed

8220 Gang Targets Telecom and Healthcare in Global Cryptojacking Attack

By Deeba Ahmed The 8220 gang, believed to be of Chinese origins, was first identified in 2017 by Cisco Talos when they targeted Drupal, Hadoop YARN, and Apache Struts2 applications for propagating cryptojacking malware. This is a post from HackRead.com Read the original post: 8220 Gang Targets Telecom and Healthcare in Global Cryptojacking Attack

8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware

The threat actors associated with the 8220 Gang have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware. The security shortcoming is CVE-2020-14883 (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers. "This vulnerability allows remote authenticated

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).