The 8220 hacker group, which was first recognized in 2017 by Cisco Talos, is exploiting each Home windows and Linux internet servers with crypto-jacking malware. Certainly one of their latest actions concerned the exploitation of Oracle WebLogic vulnerability (CVE-2017-3506) and Log4Shell (CVE-2021-44228).
Nevertheless, the historical past of this menace group had a number of exploited vulnerabilities comparable to Confluence, Log4j, Drupal, Hadoop YARN, and Apache Struts2 purposes. Their TTPs are advanced with totally different publicly launched exploits.
8220 Hacker Group
Along with this, the group was additionally found to be exploiting (CVE-2020-14883), a Distant code execution vulnerability in Oracle WebLogic Server. This exploitation chain is mixed with one other authentication bypass vulnerability (CVE-2020-14882) within the Oracle WebLogic server.
The exploitation strategies of those two vulnerabilities are publicly out there, making it comparatively straightforward for the menace actor to switch and exploit them for malicious functions.Â
Two totally different exploit chains had been found, and considered one of them permits the loading of an XML file used for additional phases of execution of instructions on the OS, whereas the opposite one executes Java code with out the usage of an XML file.
An infection Chains
The primary an infection chain makes use of totally different XML information that rely upon the goal OS. Within the case of Linux, the downloading of different information is carried out by way of cURL, wget, lwp-download, and python urllib together with a customized bash operate that encodes it to base64.
The strategy injects a Java code which additionally initially evaluates the OS and executes the identical command strings executed within the first methodology. As soon as the obtain and execution course of takes place, the compromised hosts are contaminated with AgentTesla, rhajk, and nasqa malware variants.
A full report has been printed, which supplies detailed details about the exploitation, command used, encoding, and different data.
Indicators of Compromise
URL
Supply IPs