Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
trendmicroblogSunil BhartiTRENDMICROBLOG:7F5BE5F8A4681AFA25BE43543440A0AF
HistoryMay 30, 2024 - 12:00 a.m.

Decoding Water Sigbin's Latest Obfuscation Tricks

2024-05-3000:00:00
Sunil Bharti
www.trendmicro.com
5
water sigbin
8220 gang
oracle weblogic
cve-2017-3506
cve-2023-21839
cryptocurrency miner
powershell script
threat actor
new techniques
conceal activities
attacks defense

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.2 High

AI Score

Confidence

Low

0.955 High

EPSS

Percentile

99.4%

JSON

Water Sigbin (aka the 8220 Gang) exploited the Oracle WebLogic vulnerabilities CVE-2017-3506 and CVE-2023-21839 to deploy a cryptocurrency miner using a PowerShell script. The threat actor also adopted new techniques to conceal its activities, making attacks harder to defend against.

Related

thn 4
nvd 2
cvelist 2
githubexploit 7
prion 2
cisa_kev 2
cnvd 1
cve 2
vulnrichment 1
trendmicroblog 1
attackerkb 2
hackerone 1
nuclei 1
metasploit 1
zdt 1
packetstorm 1
checkpoint_advisories 1
talosblog 1
malwarebytes 1
openvas 1
fireeye 1
nessus 2
impervablog 1
rapid7blog 1
kitploit 1
oracle 2
thn
thn
Oracle WebLogic Server OS Command Injection Flaw Under Active Attack
2024-06-04 03:25:00
8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency
2023-05-18 09:31:00
8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware
2023-12-19 06:58:00
nvd
nvd
CVE-2023-21839
2023-01-18 00:15:13
CVE-2017-3506
2017-04-24 19:59:03
cvelist
cvelist
CVE-2023-21839
2023-01-17 23:35:09
CVE-2017-3506
2017-04-24 19:00:00
githubexploit
githubexploit
Exploit for CVE-2023-21839
2023-05-29 02:08:37
Exploit for Vulnerability in Oracle Weblogic Server
2023-02-13 03:42:27
Exploit for CVE-2023-21839
2023-04-15 08:57:10
prion
prion
Code injection
2023-01-18 00:15:00
Design/Logic Flaw
2017-04-24 19:59:00
cisa_kev
cisa_kev
Oracle WebLogic Server Unspecified Vulnerability
2023-05-01 00:00:00
Oracle WebLogic Server OS Command Injection Vulnerability
2024-06-03 00:00:00
cnvd
cnvd
Oracle WebLogic Server Remote Code Execution Vulnerability (CNVD-2023-04389)
2023-01-18 00:00:00
cve
cve
CVE-2023-21839
2023-01-18 00:15:13
CVE-2017-3506
2017-04-24 19:59:03
vulnrichment
vulnrichment
CVE-2017-3506
2017-04-24 19:00:00
trendmicroblog
trendmicroblog
8220 Gang Evolves With New Strategies
2023-05-16 00:00:00
attackerkb
attackerkb
CVE-2017-3506
2017-04-24 00:00:00
CVE-2023-21839
2023-01-18 00:00:00
hackerone
hackerone
MTN Group: Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-3506]
2020-03-04 14:20:40
nuclei
nuclei
Oracle Fusion Middleware Weblogic Server - Remote OS Command Execution
2021-04-26 09:48:57
metasploit
metasploit
Oracle Weblogic PreAuth Remote Command Execution via ForeignOpaqueReference IIOP Deserialization
2023-05-24 18:17:47
zdt
zdt
Oracle Weblogic PreAuth Remote Command Execution Exploit
2023-06-12 00:00:00
packetstorm
packetstorm
Oracle Weblogic PreAuth Remote Command Execution
2023-06-12 00:00:00
checkpoint_advisories
checkpoint_advisories
Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271; CVE-2017-3506)
2017-12-27 00:00:00
talosblog
talosblog
Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions
2018-01-31 07:58:00
malwarebytes
malwarebytes
Oracle WebLogic Server vulnerability added to CISA list as β€œknown to be exploited”
2023-05-03 14:30:00
openvas
openvas
Oracle WebLogic Server Multiple Vulnerabilities-01 (cpuapr2017-3236618)
2017-04-19 00:00:00
fireeye
fireeye
Click It Up: Targeting Local Government Payment Portals
2018-09-19 10:00:00
nessus
nessus
Oracle WebLogic Server Multiple Vulnerabilities (April 2017 CPU)
2017-04-21 00:00:00
Oracle WebLogic Server (Jan 2023 CPU)
2023-01-19 00:00:00
impervablog
impervablog
Imperva Detects Undocumented 8220 Gang Activities
2023-12-14 13:48:35
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up
2023-06-16 20:40:51
kitploit
kitploit
Vulmap - Web Vulnerability Scanning And Verification Tools
2020-12-25 11:30:00
oracle
oracle
Oracle Critical Patch Update Advisory - January 2023
2023-01-17 00:00:00
Oracle Critical Patch Update Advisory - April 2017
2017-04-18 00:00:00

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.2 High

AI Score

Confidence

Low

0.955 High

EPSS

Percentile

99.4%

JSON
Related for TRENDMICROBLOG:7F5BE5F8A4681AFA25BE43543440A0AF
thn4nvd2cvelist2githubexploit7prion2cisa_kev2cnvd1cve2vulnrichment1trendmicroblog1attackerkb2hackerone1nuclei1metasploit1zdt1packetstorm1checkpoint_advisories1talosblog1malwarebytes1openvas1fireeye1nessus2impervablog1rapid7blog1kitploit1oracle2