The hackers targeted organizations in the healthcare, telecommunications, and financial services sectors.
Imperva detected the activity of the 8220 group, which exploits a high-severity vulnerability in Oracle WebLogic Server to distribute its malicious software.
We are talking about CVE-2020-14883 (CVSS score 7.2), which is a remote code execution (RCE) vulnerability that authenticated attackers can use to take over vulnerable servers.
"This vulnerability allows remote authenticated attackers to execute code using a chain of gadgets and is often associated with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle WebLogic Server) or the use of leaked, stolen or weak credentials," the Imperva report says.
The 8220 group already has experience using known security vulnerabilities to distribute malware for the purpose of cryptojacking. In May of this year, they used another Oracle WebLogic server vulnerability ( CVE-2017-3506, CVSS score 7.4) to add devices to the cryptocurrency mining botnet.
Recent attack chains documented by Imperva include the use of CVE-2020-14883 to create specially prepared XML files and then run code responsible for deploying data theft and cryptocurrency mining malware such as Agent Tesla, rhajk, and nasqa.
"There is a sense that the group operates in a non — systematic way, with no clear trend in choosing a country or industry," said Imperva security researcher Daniel Johnston.
The 8220 malware campaign has already targeted the healthcare, telecommunications, and financial services sectors in the United States, South Africa, Spain, Colombia, and Mexico.
"The group relies on simple, publicly available exploits to attack known vulnerabilities and advance its interests," Johnston added. "Even though their methods are considered uncomplicated, they are constantly evolving their tactics and techniques to avoid detection."
Imperva detected the activity of the 8220 group, which exploits a high-severity vulnerability in Oracle WebLogic Server to distribute its malicious software.
We are talking about CVE-2020-14883 (CVSS score 7.2), which is a remote code execution (RCE) vulnerability that authenticated attackers can use to take over vulnerable servers.
"This vulnerability allows remote authenticated attackers to execute code using a chain of gadgets and is often associated with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle WebLogic Server) or the use of leaked, stolen or weak credentials," the Imperva report says.
The 8220 group already has experience using known security vulnerabilities to distribute malware for the purpose of cryptojacking. In May of this year, they used another Oracle WebLogic server vulnerability ( CVE-2017-3506, CVSS score 7.4) to add devices to the cryptocurrency mining botnet.
Recent attack chains documented by Imperva include the use of CVE-2020-14883 to create specially prepared XML files and then run code responsible for deploying data theft and cryptocurrency mining malware such as Agent Tesla, rhajk, and nasqa.
"There is a sense that the group operates in a non — systematic way, with no clear trend in choosing a country or industry," said Imperva security researcher Daniel Johnston.
The 8220 malware campaign has already targeted the healthcare, telecommunications, and financial services sectors in the United States, South Africa, Spain, Colombia, and Mexico.
"The group relies on simple, publicly available exploits to attack known vulnerabilities and advance its interests," Johnston added. "Even though their methods are considered uncomplicated, they are constantly evolving their tactics and techniques to avoid detection."
