Hackers from China have learned to mine cryptocurrency in US government networks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Oracle WebLogic Server to its catalog of known exploitable vulnerabilities (KEVs). This was done in light of the available evidence of active exploitation of the problem by attackers.

Vulnerability CVE-2017−3506 with a security rating of 7.4 allows attackers to execute arbitrary code on vulnerable servers. As a result, attackers can gain unauthorized access and full control over compromised systems.

According to cybersecurity experts, the Chinese hacker group 8220 Gang, also known as Water Sigbin, has been exploiting this vulnerability since early 2022. Hackers use it to deploy a cryptocurrency mining botnet by infecting unpatched and vulnerable systems.

Trend Micro experts note that the 8220 Gang uses advanced code sniffing techniques and sophisticated scripts to stealthily deliver malicious payloads to the attacked systems. In particular, it uses hexadecimal URL encoding and HTTPS payloads delivered via port 443 to bypass intrusion detection systems.