Group 8220 Exploits Oracle Weblogic Vulnerability on Three Continents

Headline:Group 8220 Exploits Oracle Weblogic Server Vulnerability for Malicious Activities
Published Date:October 27, 2020

Researchers at IMPERVA have recorded the activity of the group 8220, which is utilizing a highly sophisticated approach to exploit a vulnerability in Oracle Weblogic Server. This group is using the vulnerability known as CVE-2020-14883 (CVSS 7.2) to remotely execute malicious code on vulnerable servers.

The IMPERVA report indicates that this vulnerability allows authenticated attackers to execute code using a gadget chain. It is often associated with another vulnerability, CVE-2020-14882, which also affects Oracle Weblogic Server. The group can also exploit stolen or weak authentication data to carry out their activities.

This is not the first time the 8220 group has utilized well-known vulnerabilities to spread malware. In May of this year, they exploited the CVE-2017-3506 vulnerability in Oracle Weblogic servers (CVSS 7.4) to build a botnet for cryptocurrency mining.

IMPERVA’s recent findings reveal that the group is leveraging CVE-2020-14883 to create specially prepared XML files and deploy malicious software, such as Agent Tesla, Rhajk, and Nasqa. This enables them to steal data and engage in cryptocurrency mining activities.

“The group seems to operate without a clear target in terms of country or industry,” said IMPERVA security researcher Daniel Johnston. The sectors targeted by the 8220 group’s malicious campaign include healthcare, telecommunications, and financial services in the USA, South Africa, Spain, Colombia, and Mexico.

Johnston further stated, “The group relies on simple, publicly accessible exploits to attack well-known vulnerabilities. Despite their simple methods, they constantly evolve their tactics and techniques to avoid detection.”

/Reports, release notes, official announcements.