Security News > 2023 > May > 8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency
The notorious cryptojacking group tracked as 8220 Gang has been spotted weaponizing a six-year-old security flaw in Oracle WebLogic servers to ensnare vulnerable instances into a botnet and distribute cryptocurrency mining malware.
The flaw in question is CVE-2017-3506, which, when successfully exploited, could allow an unauthenticated attacker to execute arbitrary commands remotely.
8220 Gang, first documented by Cisco Talos in late 2018, is so named for its original use of port 8220 for command-and-control network communications.
"8220 Gang is known to make use of SSH brute force attacks post-infection for the purposes of lateral movement inside a compromised network."
Earlier this year, Sydig detailed attacks mounted by the "Low-skill" crimeware group between November 2022 and January 2023 that aim to breach vulnerable Oracle WebLogic and Apache web servers and deploy a cryptocurrency miner.
In the latest attack chain documented by Trend Micro, the Oracle WebLogic Server vulnerability is leveraged to deliver a PowerShell payload, which is then used to create another obfuscated PowerShell script in memory.
News URL
https://thehackernews.com/2023/05/8220-gang-exploiting-oracle-weblogic.html
Related news
- 'Hadooken' Linux malware targets Oracle WebLogic servers (source)
- New Linux Malware Campaign Exploits Oracle Weblogic to Mine Cryptocurrency (source)
- New Linux malware Hadooken targets Oracle WebLogic servers (source)
- New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-04-24 | CVE-2017-3506 | Unspecified vulnerability in Oracle Weblogic Server Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). | 7.4 |