8220 Gang Exploiting Vulnerabilities in WebLogic and Atlassian Servers - Warns Microsoft
Jul 5, 2022
The 8220 gang
Microsoft has disclosed the recent attacks of the 8220 gang, in which they were found exploiting a critical bug affecting Atlassian Confluence Server and Data Center. The recent campaign targets i686 and x86_64 Linux systems. It employs RCE exploits for CVE-2019-2725 (Oracle WebLogic) and CVE-2022-26134 (Atlassian Confluence Server and Data Center) for initial access. More insights
The group has been observed actively updating its techniques and payloads over the last year. The updates to malware include the deployment of a new crypto-miner version and an IRC bot. The group was spotted targeting Windows systems via the Atlassian flaw to insert a script into a PowerShell memory process. After initial access, the backdoor downloads a loader to the system that changes its configurations. The loader disables security services, downloads a cryptominer, allows persistence on a network, and scans ports to find other servers. They were also seen targeting Apache Struts2 and Docker image vulnerabilities to compromise enterprise servers. Conclusion
Cybercriminals are known to take advantage of such security flaws for their advantage in their attacks. Security teams must follow a proper patch management program to stay up-to-date and protected.