8220 gang exploits old Oracle WebLogic vulnerability to deliver infostealers, cryptominers

The 8220 gang has been leveraging an old Oracle WebLogic Server vulnerability (CVE-2020-14883) to distribute malware, the Imperva Threat Research team has found.

About 8220

Active since 2017, the 8220 gang has been known for deploying cryptocurrency miners on Linux and Windows hosts by exploiting known vulnerabilities.

“The group relies on simple, publicly available exploits to target well-known vulnerabilities and exploit easy targets to achieve their objectives. While considered unsophisticated, they are constantly evolving their tactics and techniques to evade detection,” noted Daniel Johnston, security analyst at Imperva.

Earlier this year, Trend Micro researchers revealed that 8220 have been exploiting CVE-2017-3506 – another critical vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware – to gain control of the targeted systems and install cryptominers.

Exploiting CVE-2020-14883

This time around, the gang has tried exploiting CVE-2020-14883, a critical remote code execution (RCE) vulnerability in Oracle WebLogic Server.

“This vulnerability allows remote authenticated attackers to execute code using a gadget chain and is commonly chained with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or the use of leaked, stolen, or weak credentials,” Johnston explained.

Following the exploit, the attackers download maliciously crafted XML files, allowing code execution, and finally deploy stealer and cryptominer malware (AgentTesla, rhajk, nasqa).

The chain of infection using CVE-2020-14883. (Source: Imperva Threat Research)

“The group appears to be opportunistic when selecting their targets, with no clear trend in country or industry,” Johnston said, and added that it has been targeting healthcare, telecommunications, and financial services in the US, South Africa, Spain, Columbia, and Mexico.