Healthcare, telecommunications, and financial services firms across the U.S., Mexico, Columbia, Spain, and South Africa are having their Oracle WebLogic servers vulnerable to the remote code execution flaw, tracked as CVE-202014883, targeted by the threat operation 8220 Gang to facilitate malware distribution, The Hacker News reports.
Such a vulnerability which is usually used alongside another WebLogic server bug, tracked as CVE-2020-14882 has been leveraged by 8220 Gang for XML file creation and code execution for the deployment of the Agent Tesla, nasqa, and rhajk payloads, a report from Imperva revealed. Another years-old WebLogic vulnerability, tracked as CVE-2017-3506, was previously reported to have been used by the group to enable cryptojacking malware delivery. "The group relies on simple, publicly available exploits to target well-known vulnerabilities and exploit easy targets to achieve their objectives. While considered unsophisticated, they are constantly evolving their tactics and techniques to evade detection," said Imperva security researcher Daniel Johnston.