Oracle WebLogic servers that are vulnerable to old flaws, specifically identified as CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839, have recently been targeted by the 8220 Gang threat operation, also known as Water Sigbin. According to reports from Hacker News, the attackers have successfully infiltrated these servers and distributed a PowerShell script to launch a WireGuard VPN application-spoofing early-stage loader. This loader was used to deliver the PureCrypter loader, as indicated by an analysis conducted by Trend Micro.
The PureCrypter loader is capable of enabling hardware data exfiltration, establishing scheduled tasks, and bypassing Microsoft Defender antivirus by excluding certain files. Ultimately, this loader leads to the deployment of the XMRig cryptocurrency miner from the attackers’ command and control server, as highlighted by researchers.
In a related development, the QiAnXin XLab team published a report detailing how the 8220 Gang utilized the k4spreader installation tool to distribute the Tsunami distributed denial-of-service botnet and the PwnRig cryptominer. According to the researchers, k4spreader, which is written in cgo, allows for system persistence, automatic downloading and updating, and the execution of other malware.
Overall, these incidents shed light on the ongoing threat posed by cybercriminals to vulnerable Oracle WebLogic servers. It is crucial for organizations to stay vigilant and ensure that their systems are properly updated and secured to prevent unauthorized access and potential exploitation by threat actors.
Article Source
https://www.scmagazine.com/brief/additional-old-oracle-weblogic-flaws-used-for-cryptomining
