Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cloud Botnet. Show all posts

8220 Cryptomining Gang Targets Linux and Cloud Apps to Expand Cloud Botnet

 

The 8220 cryptomining gang has widened their Cloud Botnet over the last month to nearly 30,000 hosts globally. 
The exploitation of Linux and cloud app vulnerabilities and poorly secured configurations for services such as Docker, Confluence, Apache WebLogic, and Redis has played a significant role in the growth of the Cloud Botnet. 

"8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors," Tom Hegel of SentinelOne explained in a blog post. 

The 8220 gang has been operating since at least 2017, the hackers are Chinese-speaking and the name of the group comes from the port number 8220 employed by the miner to communicate with the C2 servers. In the latest campaign, the Monero-mining hacker targeted i686 and x86_64 Linux systems by means of weaponizing a recent remote code execution exploit for Atlassian Confluence Server (CVE-2022-26134) to install the PwnRig miner payload. 

"Victims are not targeted geographically, but simply identified by their internet accessibility," Hegel pointed out. Besides executing the PwnRig cryptocurrency miner, the group began employing a specific file for the management of the SSH brute forcing step, which contained 450 hardcoded credentials corresponding to a wide range of Linux devices and apps. 

The latest versions of the script are also known to employ blocklists to bypass compromising specific hosts, such as honeypot servers that could flag their illicit efforts. 

The PwnRig crypto miner, which is based on the open source Monero miner XMRig, has received updates of its own as well, employing a phony FBI subdomain with an IP address linked to a Brazilian federal government domain to design a fake pool request and obscure the real destination of the generated money. 

The sudden surge in mining activities is also linked to the dwindling prices of cryptocurrencies, not to mention a heightened "battle" to take control of victim systems from competing cryptojacking-focused groups. Monero, in particular, has lost over 20% of its value over the past six months. 

"Over the past few years 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner," Hegel concluded. "The group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally."