The Oracle WebLogic Server vulnerabilities enable hackers to access unauthorized systems that are used for business data and applications.
This can enable threat actors to bring in external programs and complete system control, consequently assuming admin privileges. The end result is a breach of information, denial of service attacks, or network propagation of malicious software, among other things.
Oracle WebLogic Servers are a high-value and broadly implemented technology in organizations, which makes them appealing targets for threat actors who want to achieve maximum impact and monetary gains.
Cybersecurity analysts at Broadcom recently discovered that the 8220 gangs have been actively exploiting the Oracle WebLogic server flaw to deploy cryptominer.
8220 Gang Exploiting Oracle WebLogic Server Flaw
The 8220 Gang, a China-affiliated threat group consisting of skilled coders motivated mainly by financial gains, has been operating fairly continuously since 2017.
This exemplary threat actor has been penetrating high-value entities that include sectors developing sophisticated malware and exploiting vulnerabilities.
The constant achievement of their ultimate goal—illicit financial gains—combined with new methods and non-detectable schemes has attracted the attention of people all around the globe and raised the levels of defense measures.
Researchers said that this threat group is famous for using malware to mine cryptocurrencies illegally. Its major focus is on Linux servers and cloud-based environments.
The group exploits existing software flaws and then follows several methods, tactics, and procedures (TTPs) to invade systems and gain a stand occasionally.
Looking for Full Data Breach Protection? Try Cynet’s All-in-One Cybersecurity Platform for MSPs: Try Free Demo
They later divert computational resources to perform secret cryptocurrency mining projects by using it stealthily.
The attackers exploited the following vulnerabilities in one of the recent cyberattacks to insert a cryptocurrency miner:-
- CVE-2017-3506
- CVE-2023-21839
For this to happen, threat actors wrote a PowerShell script that enabled them to covertly use mining software on compromised machines by using their system’s resources to mine digital currencies.
The scripts written in PowerShell used a lot of encoding, and in the batch file, there was a section of code that further hides the actual code.
Due to the utilization of environment variables, the attackers were able to hide the malicious operations, which the security organizations and software would not easily see or detect.
The self-contained infection strategy of the group involved running most of the malware code directly in memory rather than on disk-storage resources, to avoid detection.
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.