Imperva Threat Research has discovered previously unknown activity from the 8220 gang, a group known for deploying malware using various evolving tactics, techniques, and procedures. This threat actor targets both Windows and Linux web servers with cryptojacking malware. In this blog, we will provide details about their recent activity, the attack vectors they use, and share indicators of compromise (IoCs) from their most recent and previously unknown campaigns. Imperva customers are protected against this group’s known activities, but all organizations should keep their systems updated and secure.
The 8220 gang, believed to be of Chinese origin, was first identified in 2017 targeting Drupal, Hadoop YARN, and Apache Struts2 applications to spread cryptojacking malware. Since then, they have been observed using a variety of vulnerabilities to infect systems. Imperva Threat Research has observed the group attempting to exploit Remote Code Execution vulnerabilities in Oracle WebLogic Server to propagate malware. They also observed the group using different variations of the supplied XML files depending on the target operating system.
The 8220 gang has been observed attacking targets in various industries and countries, including healthcare, telecommunications, and financial services in the United States, South Africa, Spain, Colombia, and Mexico.
At the time of writing, Imperva Cloud WAF and on-prem WAF mitigates all of the web vulnerabilities known to be leveraged by the 8220 gang for their malicious activities. Despite their lack of sophistication, it’s important for enterprises to promptly patch their applications and implement multiple layers of security measures to safeguard against falling victim to such groups. Imperva Threat Research will continue to monitor the activities of this and other threat actors to ensure security for our customers.