8220 gang exploits vulnerability of Oracle WebLogic servers to spread malware

WebLogic Server Vulnerability

The threat actors associated with the 8220 Gang They have been observed exploiting a serious flaw in Oracle WebLogic Server to spread their malware.

The safety deficit is CVE-2020-14883 (CVSS score: 7.2), a remote code execution bug that can be exploited by authenticated attackers to take over sensitive servers.

“This vulnerability allows remotely authenticated attackers to execute code using a gadget chain CVE-2020-14882 (an authentication bypass vulnerability that also affects Oracle Weblogic Server) or the use of leaked, stolen or weak credentials,” says Imperva said in a report published last week.

The 8220 Gang has a history of exploiting known security flaws to spread cryptojacking malware. Earlier this year, the group was spotted exploiting another flaw in Oracle WebLogic servers (CVE-2017-3506, CVSS score: 7.4) to link the devices to a cryptomining botnet.

Recent attack chains documented by Imperva include exploiting CVE-2020-14883 to craft XML files and ultimately execute code responsible for deploying stealer and coin mining malware such as Agent Tesla, rhajk, and nasqa.

Oracle WebLogic

“The group appears to be opportunistic in selecting their targets, with no clear trend in the country or industry,” said Imperva security researcher Daniel Johnston.

Campaign targets include the healthcare, telecommunications and financial services sectors in the US, South Africa, Spain, Columbia and Mexico.

“The group relies on simple, publicly available exploits to address known vulnerabilities and exploit easy targets to achieve their objectives,” Johnston added. “Although they are considered unsophisticated, they are constantly evolving their tactics and techniques to evade detection.”

 

#gang #exploits #vulnerability #Oracle #WebLogic #servers #spread #malware

Total
0
Shares
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Previous Post
Malvertising Campaign

New malvertising campaign distributing PikaBot disguised as popular software

Next Post
Play Ransomware

Double extortion Play ransomware affects 300 organizations worldwide

Related Posts