The 8220 Gang [2] [3] [4] [5], a hacker group known for distributing cryptojacking malware [4] [5], has expanded their targeting to include Oracle WebLogic Server. They are exploiting a high-severity flaw [2] [4] [5], CVE-2020-14883 [1] [2] [3] [4] [5], which allows authenticated attackers to execute code and take control of vulnerable servers [2] [4] [5]. This vulnerability is being used by the group to propagate their malware [2]. In addition to CVE-2020-14883, they are also leveraging another vulnerability, CVE-2020-14882 [1] [2] [3] [4] [5], which enables authentication bypass [4]. The group has a history of targeting Oracle WebLogic Server vulnerabilities to create a crypto mining botnet.
Description
The 8220 Gang has recently been observed using CVE-2020-14883 in combination with an authentication bypass flaw or weak credentials to distribute their malware. They have developed two different exploit chains: one involving the loading of an XML file to execute commands on the operating system [1], and the other allowing the execution of Java code without an XML file. This hacker group has also targeted other applications such as Confluence [1], Log4j [1], Drupal [1], Hadoop YARN [1], and Apache Struts2 [1]. They have been observed deploying specially crafted XML files to distribute stealer and coin mining malware. Their targets span multiple sectors, including healthcare [3], telecommunications [3], and financial services [3], and they operate in various countries, including the US, South Africa [4] [5], Spain [4] [5], Colombia [4] [5], and Mexico [4] [5]. Despite being considered unsophisticated [3] [4] [5], the group continually adapts their tactics to avoid detection [3].
Conclusion
Organizations using Oracle WebLogic Server are strongly advised to apply security patches and follow best practices to mitigate the risk of exploitation [3]. The public availability of these exploits makes it easier for threat actors to modify and utilize them for malicious purposes [1]. It is crucial for affected organizations to take proactive measures to protect their systems and data.
References
[1] https://gbhackers.com/8220-hacker-group-windows-and-linux/
[2] https://cyber.vumetric.com/security-news/2023/12/19/8220-gang-exploiting-oracle-weblogic-server-vulnerability-to-spread-malware/
[3] https://cybermaterial.com/oracle-weblogic-exploit-spreading-malware/
[4] https://vulners.com/thn/THN:BAEFC84908358E8DE4118D3FEDE0AF82
[5] https://thehackernews.com/2023/12/8220-gang-exploiting-oracle-weblogic.html
