Old Oracle WebLogic vulnerability leveraged in cryptomining attacks

Vulnerable Oracle WebLogic servers impacted by the CVE-2017-3506 flaw, which could be exploited for arbitrary command execution, are being targeted by the cryptojacking operation 8220 Gang to facilitate cryptomining malware distribution, according to The Hacker News. Such a vulnerability is being leveraged by 8220 Gang to drop a PowerShell payload used as the basis for a separate PowerShell script that helps elude detection by the Windows Antimalware Scan Interface before fetching another obfuscated payload, a Trend Micro report showed. Researchers also found that Attackers have exploited the lwp-download Linux tool to facilitate arbitrary file saving on the impacted host and could affect various services upon reuse. "Considering the threat actor's tendency to reuse tools for different campaigns and abuse legitimate tools as part of the arsenal, organizations' security teams might be challenged to find other detection and blocking solutions to fend off attacks that abuse this utility," said researcher Sunil Bharti.