Imperva Threat Research has detected previously undocumented activity from the 8220 gang, which is known for the mass deployment of malware using a variety of continuously evolving TTPs. This threat actor has been known to target both Windows and Linux web servers with cryptojacking malware.
In this blog, we will detail recent activity, attack vectors used by the group, and share the indicators of compromise (IoCs) from the group’s most recent and previously unknown campaigns. Imperva customers are protected against this group’s known activities. All organizations should maintain up-to-date patches and security.
History
The 8220 gang, widely believed to be of Chinese origin, was first identified by Cisco Talos in 2017 targeting Drupal, Hadoop YARN, and Apache Struts2 applications to propagate cryptojacking malware. Since then, various other researchers have provided updates on the evolving tactics, techniques and procedures (TTPs) leveraged by the group, including exploitation of Confluence and Log4j vulnerabilities. Most recently, Trend Micro disclosed evidence of the group leveraging the Oracle WebLogic vulnerability CVE-2017-3506 to infect targeted systems.
Evolving TTPs
As well as the recently disclosed use of CVE-2021-44228 and CVE-2017-3506, Imperva Threat Research observed the group’s attempted exploitation of CVE-2020-14883, a Remote Code Execution vulnerability in Oracle WebLogic Server, to propagate malware.
This vulnerability allows remote authenticated attackers to execute code using a gadget chain and is commonly chained with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or the use of leaked, stolen, or weak credentials. Exploitation of these vulnerabilities is well documented. Therefore, it is easy to modify for the purposes of malware deployment. The 8220 gang uses two different gadget chains: one enables the loading of an XML file, which then contains a call to the other and enables execution of commands on the OS.
The group uses different variations of the supplied XML depending on the target OS:
The command used to target Linux hosts attempts to download one of a set of second phase files using a variety of different methods: cURL, wget, lwp-download and python urllib (base64 encoded), as well as a custom bash function that is also base64 encoded.
Decoded base64: calls to python 2 and 3 urllib:
Custom bash download function:
On Windows a simple PowerShell WebClient command is used to execute a downloaded PowerShell script:
In another variation of the attack, the group uses a different gadget chain to execute Java code without the requirement of an externally hosted XML file.
The injected Java code first evaluates whether the OS is Windows or Linux, and then executes the appropriate command strings, which are identical to the ones already outlined above.
From here, the downloaded files are executed, infecting the exploited hosts with known AgentTesla, rhajk and nasqa malware variants, shown in the VirusTotal screenshots below.
The chain of infection using CVE-2020-14883:
Activity Trends
The following graph shows recent activity attributed to the 8220 gang, all of which was mitigated by Imperva Cloud WAF. The group appears to be opportunistic when selecting their targets, with no clear trend in country or industry. Imperva Threat Research observed the group attacking healthcare, telecommunications, and financial services targets in the United States, South Africa, Spain, Columbia, and Mexico. The 8220 gang appears to use custom tools written in Python to launch their attack campaigns, and the attacking IPs—located in the US, Mexico and Russia—are associated with known hosting companies.
Imperva Mitigation
At the time of writing, Imperva Cloud WAF and on-prem WAF mitigates all of the web vulnerabilities known to be leveraged by the 8220 gang for their malicious activities. Recent vulnerabilities detected by Imperva and leveraged by the group include:
- CVE-2017-3506 – Oracle WebLogic Server RCE
- CVE-2019-2725 – Oracle WebLogic Server Authenticated Deserialization
- CVE-2020-14883 – Oracle WebLogic Server Authenticated RCE
- CVE-2021-26084 – Atlassian Confluence Server OGNL Injection RCE
- CVE-2021-44228 – Apache Log4j JNDI RCE
- CVE-2022-26134 – Atlassian Confluence Server RCE
Conclusion
The 8220 gang, a widely recognized threat actor driven by financial motives, has been under scrutiny by various research teams since 2017. The group relies on simple, publicly available exploits to target well-known vulnerabilities and exploit easy targets to achieve their objectives. While considered unsophisticated, they are constantly evolving their tactics and techniques to evade detection.
Throughout our investigation, we observed that attributing attacks to this group was relatively straightforward due to their consistent use of easily traceable IoCs and TTPs, frequently reusing the same IP addresses, web servers, payloads, and attack tools.
Despite the group’s lack of sophistication, it remains critical for enterprises to promptly patch their applications and implement multiple layers of security measures to safeguard against falling victim to such groups. Imperva Threat Research will maintain its vigilance in monitoring the activities of this and other threat actors, and ensuring security for our customers.
Latest 8220 gang IoCs
URLs
Source IPs
Malicious file hashes
Try Imperva for Free
Protect your business for 30 days on Imperva.
