Lucene search

K
thnThe Hacker NewsTHN:64BCAF6F8AC86911192766ED3D6AA28D
HistoryMay 18, 2023 - 9:31 a.m.

8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency

2023-05-1809:31:00
The Hacker News
thehackernews.com
60

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.974 High

EPSS

Percentile

99.8%

Mine Cryptocurrency

The notorious cryptojacking group tracked as 8220 Gang has been spotted weaponizing a six-year-old security flaw in Oracle WebLogic servers to ensnare vulnerable instances into a botnet and distribute cryptocurrency mining malware.

The flaw in question is CVE-2017-3506 (CVSS score: 7.4), which, when successfully exploited, could allow an unauthenticated attacker to execute arbitrary commands remotely.

“This allows attackers to gain unauthorized access to sensitive data or compromise the entire system,” Trend Micro researcher Sunil Bharti said in a report published this week.

8220 Gang, first documented by Cisco Talos in late 2018, is so named for its original use of port 8220 for command-and-control (C2) network communications.

“8220 Gang identifies targets via scanning for misconfigured or vulnerable hosts on the public internet,” SentinelOne noted last year. “8220 Gang is known to make use of SSH brute force attacks post-infection for the purposes of lateral movement inside a compromised network.”

Earlier this year, Sydig detailed attacks mounted by the “low-skill” crimeware group between November 2022 and January 2023 that aim to breach vulnerable Oracle WebLogic and Apache web servers and deploy a cryptocurrency miner.

Cryptocurrency

It has also been observed making use of an off-the-shelf malware downloader known as PureCrypter as well as a crypter codenamed ScrubCrypt to conceal the miner payload and evade detection by security software.

In the latest attack chain documented by Trend Micro, the Oracle WebLogic Server vulnerability is leveraged to deliver a PowerShell payload, which is then used to create another obfuscated PowerShell script in memory.

This newly created PowerShell script disables Windows Antimalware Scan Interface (AMSI) detection and launches a Windows binary that subsequently reaches out to a remote server to retrieve a “meticulously obfuscated” payload.

The intermediate DLL file, for its part, is configured to download a cryptocurrency miner from one of the three C2 servers – 179.43.155[.]202, work.letmaker[.]top, and su-94.letmaker[.]top – using TCP ports 9090, 9091, or 9092.

Trend Micro said recent attacks have also entailed the misuse of a legitimate Linux tool called lwp-download to save arbitrary files on the compromised host.

“lwp-download is a Linux utility present in a number of platforms by default, and 8220 Gang making this a part of any malware routine can affect a number of services even if it were reused more than once,” Bharti said.

“Considering the threat actor’s tendency to reuse tools for different campaigns and abuse legitimate tools as part of the arsenal, organizations’ security teams might be challenged to find other detection and blocking solutions to fend off attacks that abuse this utility.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.974 High

EPSS

Percentile

99.8%