Tuesday, June 25, 2024

8220 Gang Exploiting Oracle WebLogic Server Flaw To Deploy Cryptominer

The Oracle WebLogic Server vulnerabilities enable hackers to access unauthorized systems that are used for business data and applications. 

This can enable threat actors to bring in external programs and complete system control, consequently assuming admin privileges. The end result is a breach of information, denial of service attacks, or network propagation of malicious software, among other things. 

Oracle WebLogic Servers are a high-value and broadly implemented technology in organizations, which makes them appealing targets for threat actors who want to achieve maximum impact and monetary gains.

Cybersecurity analysts at Broadcom recently discovered that the 8220 gangs have been actively exploiting the Oracle WebLogic server flaw to deploy cryptominer.

8220 Gang Exploiting Oracle WebLogic Server Flaw

The 8220 Gang, a China-affiliated threat group consisting of skilled coders motivated mainly by financial gains, has been operating fairly continuously since 2017. 

This exemplary threat actor has been penetrating high-value entities that include sectors developing sophisticated malware and exploiting vulnerabilities. 

The constant achievement of their ultimate goal—illicit financial gains—combined with new methods and non-detectable schemes has attracted the attention of people all around the globe and raised the levels of defense measures.

Researchers said that this threat group is famous for using malware to mine cryptocurrencies illegally. Its major focus is on Linux servers and cloud-based environments.

The group exploits existing software flaws and then follows several methods, tactics, and procedures (TTPs) to invade systems and gain a stand occasionally.

Looking for Full Data Breach Protection? Try Cynet’s All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

They later divert computational resources to perform secret cryptocurrency mining projects by using it stealthily.

The attackers exploited the following vulnerabilities in one of the recent cyberattacks to insert a cryptocurrency miner:-

For this to happen, threat actors wrote a PowerShell script that enabled them to covertly use mining software on compromised machines by using their system’s resources to mine digital currencies.

The scripts written in PowerShell used a lot of encoding, and in the batch file, there was a section of code that further hides the actual code. 

Due to the utilization of environment variables, the attackers were able to hide the malicious operations, which the security organizations and software would not easily see or detect.

The self-contained infection strategy of the group involved running most of the malware code directly in memory rather than on disk-storage resources, to avoid detection.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.


Latest articles

Hackers Exploit Multiple WordPress Plugins to Hack Websites & Create Rogue Admin Accounts

Wordfence Threat Intelligence team identified a significant security breach involving multiple WordPress plugins. The initial...

Hackers Attacking Windows IIS Server to Upload Web Shells

Windows IIS Servers often host critical web applications and services that provide a gateway...

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles