Cybersecurity researchers have uncovered a complex attack campaign orchestrated by the threat actor Water Sigbin (also known as 8220 Gang), targeting vulnerabilities in Oracle WebLogic Server, specifically CVE-2017-3506 and CVE-2023-21839. The attackers employed these vulnerabilities to plant the XMRig cryptocurrency miner on compromised systems. To avoid detection, Water Sigbin utilized advanced tactics such as code obfuscation with .Net Reactor, fileless execution techniques like reflective DLL injection and process hollowing, and masking the XMRig miner as legitimate processes. The attack involved multiple stages of decryption, decompression, and loading of payloads through PowerShell scripts and reflective injection.
The malware collected system information through WMI queries, encrypted it, and sent it to a command-and-control (C2) server for victim identification. By using fileless execution methods and code protection software like .NET Reactor, the attackers were able to operate stealthily and evade traditional detection mechanisms. The attack began with the exploitation of CVE-2017-3506, which allowed the execution of a PowerShell script, leading to the deployment of the malicious payloads.
The final payload deployed was the XMRig cryptocurrency miner, which initiated mining activities by sending requests to a mining pool URL and using a specific wallet address. Trend Micro provided several indicators of compromise related to this attack, along with recommendations for organizations to mitigate such threats. These recommendations include keeping systems and software updated, implementing strong authentication methods like multi-factor authentication, conducting regular vulnerability scans, educating employees on security best practices, and utilizing endpoint detection and response solutions.
By showcasing their technical prowess through the exploitation of WebLogic vulnerabilities, use of sophisticated evasion tactics, and deployment of cryptocurrency miners, Water Sigbin has once again demonstrated their expertise in the cyber threat landscape. Organizations are urged to take proactive measures to protect themselves from such advanced threats by following security best practices and staying vigilant against evolving cybersecurity challenges.
Article Source
https://cybersecuritynews.com/water-sigbin-hackers-exploit-oracle-weblogic-vulnerabilities/amp/
