The 8220 cryptomining gang has widened their Cloud Botnet over the last month to nearly 30,000 hosts globally.
The exploitation of Linux and cloud app vulnerabilities and poorly secured configurations for services such as Docker, Confluence, Apache WebLogic, and Redis has played a significant role in the growth of the Cloud Botnet.
“8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors,” Tom Hegel of SentinelOne explained in a blog post.
The 8220 gang has been operating since at least 2017, the hackers are Chinese-speaking and the name of the group comes from the port number 8220 employed by the miner to communicate with the C2 servers. In the latest campaign, the Monero-mining hacker targeted i686 and x86_64 Linux systems by means of weaponizing a recent remote code execution exploit for Atlassian Confluence Server (CVE-2022-26134) to install the PwnRig miner payload.
“Victims are not targeted geographically, but simply identified by their internet accessibility,” Hegel pointed out. Besides executing the PwnRig cryptocurrency miner, the group began employing a specific file for the management of the SSH brute forcing step, which contained 450 hardcoded credentials corresponding to a wide
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: