Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Imperva. Show all posts

Imperva Report Previously Undocumented 8220 Gang Activities


Imperva Threat Research team has recently discovered a previously unreported activity from the 8220 gang, which is well-known for mass-deploying a range of constantly evolving TTPs to distribute malware in large quantities. The threat actor has a history of using cryptojacking malware to target Linux and Windows web servers.

The researchers reported the issue in a blog, discussing the group’s attack tactics, recent activities, and indicators of compromise (IoCs) from the threat actor’s most recent campaign. Customers of Imperva are shielded from the known actions of this group. All firms are required to keep their security and patching up-to-date. 

History of the Threat Actor

The 8220 gang, which is believed to be a China-based group, was initially discovered in 2017 by Cisco Talos. The targets include Apache Struts2, Hadoop YARN, and Drupal systems, where the threat actors transmitted cryptojacking malware. Since then, a number of additional researchers have offered updates on the group's growing tactics, methods, and procedures (TTPs), which include making use of vulnerabilities in Log4j and Confluence. The group's use of the Oracle WebLogic vulnerability CVE-2017-3506 to infect specific systems was most recently shown by Trend Micro.

Evolving TTPs

The Imperva Threat Research disclosed the use of malware identified as CVE-2021-44228 and CVE-2017-3506. Also, the researchers revealed that the threat group exploited CVE-2020-14883, a Remote Code Execution vulnerability in Oracle WebLogic Server, to spread malware.

This vulnerability, frequently linked with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or using compromised, stolen, or leaked credentials, permits remote authenticated attackers to execute code via a gadget chain. The documented exploitation of these vulnerabilities is extensive. This way, it is easier to modify for the distribution of malware. 

The 8220 gang employs two distinct gadget chains: one allows an XML file to be loaded, and this file contains a call to another gadget chain that allows commands to be executed on the operating system.

The report further notes that Imperva Cloud WAF and on-prem WAF have addressed the issues already by mitigating flaws that were used by the 8220 gang for conducting their malicious activities. Some of these vulnerabilities have been listed below:

  • CVE-2017-3506 – Oracle WebLogic Server RCE 
  • CVE-2019-2725 – Oracle WebLogic Server Authenticated Deserialization 
  • CVE-2020-14883 – Oracle WebLogic Server Authenticated RCE 
  • CVE-2021-26084 – Atlassian Confluence Server OGNL Injection RCE 
  • CVE-2021-44228 – Apache Log4j JNDI RCE 
  • CVE-2022-26134 – Atlassian Confluence Server RCE  

Extended DDoS Attack With 25.3B+ Requests Thwarted

 

On June 27, 2022, the cybersecurity firm Imperva mitigated a DDoS attack with over 25.3 billion requests. The attack, according to experts, sets a new record for Imperva's application DDoS mitigation solution. The attack, which targeted an unnamed Chinese telecommunications company, was notable for its duration, lasting more than four hours and peaking at 3.9 million RPS. 

“On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solution” reads the announcement. “While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.”

The Chinese telecommunications company had previously been targeted by large attacks, and experts added that two days later, a new DDoS attack hit its website, albeit for a shorter period of time. This record-breaking attack had an average rate of 1.8 million RPS. To send multiple requests over individual connections, threat actors used HTTP/2 multiplexing or combining multiple packets into one.

The attackers' technique is difficult to detect and can bring down targets with a limited number of resources.

“Since our automated mitigation solution is guaranteed to block DDoS in under three seconds, we estimate that the attack could have reached a much greater rate than our tracked peak of 3.9 million RPS.” continues Imperva.

This attack was launched by a botnet comprised of nearly 170,000 different IP addresses, including routers, security cameras, and compromised servers. The compromised devices can be found in over 180 countries, with the majority of them in the United States, Indonesia, and Brazil.

Akamai mitigated the largest DDoS attack ever against one of its European customers on Monday, September 12, 2022. The malicious traffic peaked at 704.8 Mpps and appears to be the work of the same threat actor as the previous record, which Akamai blocked in July and hit the same customer.