Thursday, February 6, 2025
HomeCryptocurrency hack8220 Gang Exploiting Oracle WebLogic Server Flaw To Deploy Cryptominer

8220 Gang Exploiting Oracle WebLogic Server Flaw To Deploy Cryptominer

Published on

SIEM as a Service

Follow Us on Google News

The Oracle WebLogic Server vulnerabilities enable hackers to access unauthorized systems that are used for business data and applications. 

This can enable threat actors to bring in external programs and complete system control, consequently assuming admin privileges. The end result is a breach of information, denial of service attacks, or network propagation of malicious software, among other things. 

Oracle WebLogic Servers are a high-value and broadly implemented technology in organizations, which makes them appealing targets for threat actors who want to achieve maximum impact and monetary gains.

Cybersecurity analysts at Broadcom recently discovered that the 8220 gangs have been actively exploiting the Oracle WebLogic server flaw to deploy cryptominer.

8220 Gang Exploiting Oracle WebLogic Server Flaw

The 8220 Gang, a China-affiliated threat group consisting of skilled coders motivated mainly by financial gains, has been operating fairly continuously since 2017. 

This exemplary threat actor has been penetrating high-value entities that include sectors developing sophisticated malware and exploiting vulnerabilities. 

The constant achievement of their ultimate goal—illicit financial gains—combined with new methods and non-detectable schemes has attracted the attention of people all around the globe and raised the levels of defense measures.

Researchers said that this threat group is famous for using malware to mine cryptocurrencies illegally. Its major focus is on Linux servers and cloud-based environments.

The group exploits existing software flaws and then follows several methods, tactics, and procedures (TTPs) to invade systems and gain a stand occasionally.

Looking for Full Data Breach Protection? Try Cynet’s All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

They later divert computational resources to perform secret cryptocurrency mining projects by using it stealthily.

The attackers exploited the following vulnerabilities in one of the recent cyberattacks to insert a cryptocurrency miner:-

For this to happen, threat actors wrote a PowerShell script that enabled them to covertly use mining software on compromised machines by using their system’s resources to mine digital currencies.

The scripts written in PowerShell used a lot of encoding, and in the batch file, there was a section of code that further hides the actual code. 

Due to the utilization of environment variables, the attackers were able to hide the malicious operations, which the security organizations and software would not easily see or detect.

The self-contained infection strategy of the group involved running most of the malware code directly in memory rather than on disk-storage resources, to avoid detection.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Paragon Spyware Allegedly Ends Spyware Contract with Italy

Paragon Solutions, an Israeli cybersecurity firm, has reportedly ended its spyware contract with Italy.The...

Authorities Arrested Hacker Who Compromised 40+ Organizations

Spanish authorities have arrested a hacker believed to be responsible for cyberattacks targeting over...

OpenAI Data Breach – Threat Actor Allegedly Claims 20 Million Logins for Sale

OpenAI may have become the latest high-profile target of a significant data breach.A...

Lumma Stealer Attacking Windows Users In India With Fake Captcha Pages

Cybersecurity experts are raising alarms over a new wave of attacks targeting Windows users...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Paragon Spyware Allegedly Ends Spyware Contract with Italy

Paragon Solutions, an Israeli cybersecurity firm, has reportedly ended its spyware contract with Italy.The...

Authorities Arrested Hacker Who Compromised 40+ Organizations

Spanish authorities have arrested a hacker believed to be responsible for cyberattacks targeting over...

OpenAI Data Breach – Threat Actor Allegedly Claims 20 Million Logins for Sale

OpenAI may have become the latest high-profile target of a significant data breach.A...