• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
8220 gang exploiting oracle weblogic flaw to hijack servers and

8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency

You are here: Home / General Cyber Security News / 8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency
May 18, 2023

The infamous cryptojacking team tracked as 8220 Gang has been spotted weaponizing a 6-calendar year-old security flaw in Oracle WebLogic servers to ensnare susceptible occasions into a botnet and distribute cryptocurrency mining malware.

The flaw in issue is CVE-2017-3506 (CVSS rating: 7.4), which, when properly exploited, could let an unauthenticated attacker to execute arbitrary commands remotely.

“This enables attackers to attain unauthorized obtain to delicate data or compromise the full process,” Trend Micro researcher Sunil Bharti claimed in a report released this 7 days.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


8220 Gang, initially documented by Cisco Talos in late 2018, is so named for its authentic use of port 8220 for command-and-management (C2) network communications.

“8220 Gang identifies targets through scanning for misconfigured or vulnerable hosts on the community internet,” SentinelOne observed last calendar year. “8220 Gang is recognized to make use of SSH brute drive attacks post-infection for the reasons of lateral motion within a compromised network.”

Previously this calendar year, Sydig thorough attacks mounted by the “reduced-skill” crimeware group in between November 2022 and January 2023 that purpose to breach susceptible Oracle WebLogic and Apache web servers and deploy a cryptocurrency miner.

Cryptocurrency

It has also been noticed earning use of an off-the-shelf malware downloader acknowledged as PureCrypter as perfectly as a crypter codenamed ScrubCrypt to conceal the miner payload and evade detection by security software package.

In the most current attack chain documented by Craze Micro, the Oracle WebLogic Server vulnerability is leveraged to produce a PowerShell payload, which is then employed to generate one more obfuscated PowerShell script in memory.

This newly established PowerShell script disables Windows Antimalware Scan Interface (AMSI) detection and launches a Windows binary that subsequently reaches out to a distant server to retrieve a “meticulously obfuscated” payload.

Upcoming WEBINARLearn to Quit Ransomware with Authentic-Time Security

Sign up for our webinar and find out how to cease ransomware attacks in their tracks with genuine-time MFA and company account protection.

Preserve My Seat!

The intermediate DLL file, for its part, is configured to obtain a cryptocurrency miner from one of the 3 C2 servers – 179.43.155[.]202, function.letmaker[.]leading, and su-94.letmaker[.]prime – applying TCP ports 9090, 9091, or 9092.

Pattern Micro claimed modern attacks have also entailed the misuse of a legit Linux tool called lwp-download to preserve arbitrary files on the compromised host.

“lwp-obtain is a Linux utility current in a quantity of platforms by default, and 8220 Gang producing this a aspect of any malware regime can influence a quantity of providers even if it were being reused additional than when,” Bharti explained.

“Thinking of the threat actor’s inclination to reuse tools for different strategies and abuse legitimate resources as component of the arsenal, organizations’ security groups may well be challenged to obtain other detection and blocking methods to fend off attacks that abuse this utility.”

Discovered this write-up intriguing? Comply with us on Twitter  and LinkedIn to read much more special content we article.


Some elements of this short article are sourced from:
thehackernews.com

Previous Post: «Cyber Security News New Cloud Data Leak Adds to Capita’s Woes
Next Post: Government Publishes Playbook to Enhance Smart City Security Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Qilin Ransomware Adds “Call Lawyer” Feature to Pressure Victims for Larger Ransoms
  • Iran’s State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen in Crypto Heist
  • 6 Steps to 24/7 In-House SOC Success
  • Massive 7.3 Tbps DDoS Attack Delivers 37.4 TB in 45 Seconds, Targeting Hosting Provider
  • 67 Trojanized GitHub Repositories Found in Campaign Targeting Gamers and Developers
  • New Android Malware Surge Hits Devices via Overlays, Virtualization Fraud and NFC Theft
  • BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with MacOS Backdoor Malware
  • Secure Vibe Coding: The Complete New Guide
  • Uncover LOTS Attacks Hiding in Trusted Tools — Learn How in This Free Expert Session
  • Russian APT29 Exploits Gmail App Passwords to Bypass 2FA in Targeted Phishing Campaign

Copyright © TheCyberSecurity.News, All Rights Reserved.