A threat actor known as the 8220 gang, believed to be of Chinese origin, has been spotted exploiting a high-severity vulnerability in the Oracle WebLogic platform to deploy AgentTesla, rhajk and nasqa malware variants.

The said flaw is CVE-2020-14883, an improper input validation issue within the Console component in Oracle WebLogic Server, which could be exploited for remote code execution.

“This vulnerability allows remote authenticated attackers to execute code using a gadget chain and is commonly chained with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or the use of leaked, stolen, or weak credentials,” Imperva’s threat research team explained in a report. “The 8220 gang uses two different gadget chains: one enables the loading of an XML file, which then contains a call to the other and enables execution of commands on the OS.”

First observed in 2017, the 8220 gang has been known to target Drupal, Hadoop YARN, and Apache Struts2 applications to propagate cryptojacking malware. Most recently, Trend Micro reported the group’s use of the CVE-2017-3506 WebLogic flaw to infect targeted systems.

The group has been seen exploiting the following vulnerabilities in its attacks:

• CVE-2017-3506 – Oracle WebLogic Server RCE

• CVE-2019-2725 – Oracle WebLogic Server Authenticated Deserialization

• CVE-2020-14883 – Oracle WebLogic Server Authenticated RCE

• CVE-2021-26084 – Atlassian Confluence Server OGNL Injection RCE

• CVE-2021-44228 – Apache Log4j JNDI RCE

• CVE-2022-26134 – Atlassian Confluence Server RCE

The group appears to be opportunistic when selecting their targets, with no clear trend in country or industry. It was observed targeting healthcare, telecommunications, and financial services in the US, South Africa, Spain, Columbia, and Mexico. The 8220 gang appears to use custom tools written in Python to launch their attack campaigns, and the attacking IPs (located in the US, Mexico and Russia) are associated with known hosting companies, Imperva said.