China-linked 8220 gang exploits Oracle WebLogic bugs to deploy malware

China-linked 8220 gang exploits Oracle WebLogic bugs to deploy malware

A threat actor known as the 8220 gang, believed to be of Chinese origin, has been spotted exploiting a high-severity vulnerability in the Oracle WebLogic platform to deploy AgentTesla, rhajk and nasqa malware variants.

The said flaw is CVE-2020-14883, an improper input validation issue within the Console component in Oracle WebLogic Server, which could be exploited for remote code execution.

“This vulnerability allows remote authenticated attackers to execute code using a gadget chain and is commonly chained with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or the use of leaked, stolen, or weak credentials,” Imperva’s threat research team explained in a report. “The 8220 gang uses two different gadget chains: one enables the loading of an XML file, which then contains a call to the other and enables execution of commands on the OS.”

First observed in 2017, the 8220 gang has been known to target Drupal, Hadoop YARN, and Apache Struts2 applications to propagate cryptojacking malware. Most recently, Trend Micro reported the group’s use of the CVE-2017-3506 WebLogic flaw to infect targeted systems.

The group has been seen exploiting the following vulnerabilities in its attacks:

The group appears to be opportunistic when selecting their targets, with no clear trend in country or industry. It was observed targeting healthcare, telecommunications, and financial services in the US, South Africa, Spain, Columbia, and Mexico. The 8220 gang appears to use custom tools written in Python to launch their attack campaigns, and the attacking IPs (located in the US, Mexico and Russia) are associated with known hosting companies, Imperva said.

Back to the list

Latest Posts

Cyber Security Week in Review: February 14, 2025

Cyber Security Week in Review: February 14, 2025

In brief: Microsoft patches actively exploited zero-days, Chinese hackers Salt Typhoon exploit Cisco flaws, the US and partners sanction Zservers, and more.
14 February 2025
Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

The 'BadPilot' campaign involves a series of targeted cyberattacks leveraging bugs in widely used IT infrastructure software.
13 February 2025
Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

The two men arrested in Spain are accused of overseeing the global distribution of Sky ECC devices and software.
12 February 2025