"8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency"

The 8220 Gang, a cryptojacking group, has been observed weaponizing a six-year-old security vulnerability in Oracle WebLogic servers to pull vulnerable instances into a botnet and spread cryptocurrency mining malware. The flaw, tracked as CVE-2017-3506 with a CVSS score of 7.4, could allow an unauthenticated attacker to remotely execute arbitrary commands. According to Trend Micro researcher Sunil Bharti, this will enable attackers to gain unauthorized access to sensitive data or compromise the entire system. The group, first documented by Cisco Talos in 2018, is named for its original use of port 8220 for command-and-control (C2) network communications. SentinelOne reported last year that the 8220 Gang identifies targets by scanning the public Internet for misconfigured or vulnerable hosts. The 8220 Gang uses SSH brute force attacks post-infection to move laterally within a compromised network. Earlier this year, Sydig reported attacks carried out by the "low-skill" crimeware gang between November 2022 and January 2023 to breach vulnerable Oracle WebLogic and Apache web servers and deploy a cryptocurrency miner. This article continues to discuss the 8220 Gang exploiting a six-year-old security flaw in Oracle WebLogic servers.

THN reports "8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency"