Imperva Threat Research team has recently discovered a previously unreported activity from the 8220 gang, which is well-known for mass-deploying a range of constantly evolving TTPs to distribute malware in large quantities.
The threat actor has a history of using cryptojacking malware to target Linux and Windows web servers.
The researchers reported the issue in a blog, discussing the group's attack tactics, recent activities, and indicators of compromise from the threat actor's most recent campaign.
Customers of Imperva are shielded from the known actions of this group.
All firms are required to keep their security and patching up-to-date.
History of the Threat Actor The 8220 gang, which is believed to be a China-based group, was initially discovered in 2017 by Cisco Talos.
The targets include Apache Struts2, Hadoop YARN, and Drupal systems, where the threat actors transmitted cryptojacking malware.
A number of additional researchers have offered updates on the group's growing tactics, methods, and procedures, which include making use of vulnerabilities in Log4j and Confluence.
The group's use of the Oracle WebLogic vulnerability CVE-2017-3506 to infect specific systems was most recently shown by Trend Micro.
Evolving TTPs The Imperva Threat Research disclosed the use of malware identified as CVE-2021-44228 and CVE-2017-3506.
The researchers revealed that the threat group exploited CVE-2020-14883, a Remote Code Execution vulnerability in Oracle WebLogic Server, to spread malware.
This vulnerability, frequently linked with CVE-2020-14882 or using compromised, stolen, or leaked credentials, permits remote authenticated attackers to execute code via a gadget chain.
The documented exploitation of these vulnerabilities is extensive.
This way, it is easier to modify for the distribution of malware.
The 8220 gang employs two distinct gadget chains: one allows an XML file to be loaded, and this file contains a call to another gadget chain that allows commands to be executed on the operating system.
The report further notes that Imperva Cloud WAF and on-prem WAF have addressed the issues already by mitigating flaws that were used by the 8220 gang for conducting their malicious activities.
This Cyber News was published on www.cysecurity.news. Publication date: Tue, 19 Dec 2023 16:43:05 +0000