Malware Spreading Through Oracle WebLogic Server Flaw Used by 8220 Gang

The notorious 8220 Gang continues to exploit a critical vulnerability within Oracle WebLogic Server, leveraging it as a gateway to spread their sophisticated malware. This persistent threat actor group has been observed utilizing the security loophole identified as CVE-2020-14883 (with a CVSS score of 7.2), a high-severity flaw capable of enabling remote code execution and granting authenticated attackers control over susceptible servers.

Detailed in a report, this vulnerability serves as a pivot point for threat actors, commonly combined with CVE-2020-14882—an authentication bypass vulnerability within Oracle WebLogic Server—or through the utilization of compromised credentials. Exploiting this flaw allows the 8220 Gang to execute code via a gadget chain, facilitating their malicious activities.

The 8220 Gang’s modus operandi is a historical pattern of leveraging known security vulnerabilities to proliferate cryptojacking malware. In a previous incident this May, the group exploited another weakness in Oracle WebLogic servers (CVE-2017-3506, with a CVSS score of 7.4) to ensnare devices.

Recent investigations have unveiled the meticulous attack chains employed by the 8220 Gang, involving the exploitation of CVE-2020-14883. These cybercriminals craft specialized XML files to trigger code execution, ultimately deploying a variety of malware strains such as Agent Tesla, rhajk, and nasqa, known for their data-stealing and coin mining capabilities.

The group’s attacks display no discernible pattern regarding specific countries or industries. Rather, their targets encompass diverse sectors including healthcare, telecommunications, and financial services across regions like the U.S., South Africa, Spain, Columbia, and Mexico.

Despite their simplicity in employing readily available exploits for well-known vulnerabilities, researcher emphasized the 8220 Gang’s adaptability in constantly evolving their attack strategies. While their techniques might be considered unsophisticated, their ability to evolve and evade detection poses an ongoing challenge for cybersecurity efforts.

The continued exploits by the 8220 Gang underscore the persistent threats posed by cybercriminals adept at exploiting vulnerabilities, emphasizing the critical need for proactive security measures, constant vigilance, and prompt patching of known vulnerabilities to mitigate the risk of such sophisticated attacks.

Safeguard your systems against the 8220 Gang’s tactics by regularly updating Oracle WebLogic Server with the latest security patches. Implement strong authentication measures and limit access to critical systems. Monitor network traffic for suspicious activities and consider utilizing intrusion detection systems to detect and respond to potential threats promptly. Educate employees about phishing attempts and encourage a security-conscious culture within your organization.