Imperva Threat Research has detected previously undocumented activity from the 8220 gang, which is known for the mass deployment of malware using a variety of continuously evolving TTPs. This threat actor has been known to target both Windows and Linux web servers with cryptojacking malware.
In this blog, we will detail recent activity, attack vectors used by the group, and share the indicators of compromise from the group's most recent and previously unknown campaigns.
Imperva customers are protected against this group's known activities.
The 8220 gang, widely believed to be of Chinese origin, was first identified by Cisco Talos in 2017 targeting Drupal, Hadoop YARN, and Apache Struts2 applications to propagate cryptojacking malware.
Various other researchers have provided updates on the evolving tactics, techniques and procedures leveraged by the group, including exploitation of Confluence and Log4j vulnerabilities.
Most recently, Trend Micro disclosed evidence of the group leveraging the Oracle WebLogic vulnerability CVE-2017-3506 to infect targeted systems.
Evolving TTPs. As well as the recently disclosed use of CVE-2021-44228 and CVE-2017-3506, Imperva Threat Research observed the group's attempted exploitation of CVE-2020-14883, a Remote Code Execution vulnerability in Oracle WebLogic Server, to propagate malware.
This vulnerability allows remote authenticated attackers to execute code using a gadget chain and is commonly chained with CVE-2020-14882 or the use of leaked, stolen, or weak credentials.
Exploitation of these vulnerabilities is well documented.
The 8220 gang uses two different gadget chains: one enables the loading of an XML file, which then contains a call to the other and enables execution of commands on the OS. The group uses different variations of the supplied XML depending on the target OS:. The command used to target Linux hosts attempts to download one of a set of second phase files using a variety of different methods: cURL, wget, lwp-download and python urllib, as well as a custom bash function that is also base64 encoded.
In another variation of the attack, the group uses a different gadget chain to execute Java code without the requirement of an externally hosted XML file.
The following graph shows recent activity attributed to the 8220 gang, all of which was mitigated by Imperva Cloud WAF. The group appears to be opportunistic when selecting their targets, with no clear trend in country or industry.
Imperva Threat Research observed the group attacking healthcare, telecommunications, and financial services targets in the United States, South Africa, Spain, Columbia, and Mexico.
The 8220 gang appears to use custom tools written in Python to launch their attack campaigns, and the attacking IPs-located in the US, Mexico and Russia-are associated with known hosting companies.
At the time of writing, Imperva Cloud WAF and on-prem WAF mitigates all of the web vulnerabilities known to be leveraged by the 8220 gang for their malicious activities.
The 8220 gang, a widely recognized threat actor driven by financial motives, has been under scrutiny by various research teams since 2017.
The group relies on simple, publicly available exploits to target well-known vulnerabilities and exploit easy targets to achieve their objectives.
Throughout our investigation, we observed that attributing attacks to this group was relatively straightforward due to their consistent use of easily traceable IoCs and TTPs, frequently reusing the same IP addresses, web servers, payloads, and attack tools.
Despite the group's lack of sophistication, it remains critical for enterprises to promptly patch their applications and implement multiple layers of security measures to safeguard against falling victim to such groups.
Imperva Threat Research will maintain its vigilance in monitoring the activities of this and other threat actors, and ensuring security for our customers.
This Cyber News was published on www.imperva.com. Publication date: Thu, 14 Dec 2023 14:43:05 +0000