Microsoft Security Intelligence experts have issued a new warning against a known cloud threat actor (TA) group, dubbed 8220, targeting Linux servers to install crypto miners.
“We observed notable updates to the long-running malware campaign targeting Linux systems by a group known as the 8220 gang. The updates include the deployment of new versions of a crypto miner and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability,” the technology giant wrote in a series of tweets.
According to Cisco's Talos Intelligence group, the 8220 gang has been operating since at least 2017, and primarily focuses on crypto mining campaigns. The threat actors are Chinese-speaking, the names of the group come from the port number 8220 used by the miner to communicate with the C2 servers.
Over the past year, the group has actively upgraded its methodologies and payloads. In a recent campaign, the hacking group targeted i686 and x86_64 Linux systems and employed RCE exploits for CVE-2022-26134 (Atlassian Confluence) and CVE-2019-2725 (Oracle WebLogic) for initial access, Microsoft researchers stated.
Once secured access to a target system, an evasive loader is downloaded from jira[.]letmaker[.]top. The loader eludes detection by clearing log files and disabling cloud monitoring and security tools.
Subsequently, the loader downloads the pwnRig crypto miner and an IRC bot that runs commands from a command-and-control (C2) server. It would then maintain persistence by designing either a cron job or a script running every 60 seconds as nohup.
“The loader uses the IP port scanner tool ‘masscan’ to find other SSH servers in the network and then uses the GoLang-based SSH brute force tool ‘spirit’ to propagate. It also scans the local disk for SSH keys to move laterally by connecting to known hosts.”
To guard networks against this threat, Microsoft urged organizations to secure systems and servers, apply updates, and use good credential hygiene. “Microsoft Defender for Endpoint on Linux detects malicious behaviors and payloads related to this campaign.”
The findings come after Akamai disclosed that the Atlassian Confluence vulnerability is experiencing a steady 20,000 exploitation attempts per day that are executed from nearly 6,000 IPs. However, these figures represent a substantial decline when compared to the peak of 100,000 the company witnessed upon the bug disclosure on June 02, 2022.
