A group of cloud threat operators, tracked as 8220, have updated their malware toolset to hack Linux servers for the purpose of installing cryptocurrency miners. “Updates include the deployment of new versions of a cryptocurrency miner and an IRC bot,” Microsoft Security Intelligence said in a series of tweets made on Thursday. last year.”
8220 has been active since early 2017 and is a tool for mining the Chinese-language Monero cryptocurrency. The name is due to its preference for communicating with command and control (C&C) servers over port 8220. It is also the “developer” of a tool called whatMiner, which was co-opted by the Rocke cybercriminal group.
In July 2019, the Alibaba Cloud Security Team discovered a change in the group’s tactics, noting the use of rootkits (malware that work by intercepting operating system actions and altering their results) to hide the mining program. Two years later, the gang resurfaced with variants of the Tsunami IRC botnet and a custom miner “PwnRig”.
Now, according to Microsoft, the latest campaign that hit Linux i686 and x86_64 systems has been observed arming remote code execution (RCE) exploits for the just-released Atlassian Confluence Server (CVE-2022-26134) and Oracle WebLogic. (CVE-2019-2725) for initial access.
This step is followed by retrieving a malware loader from a remote server designed to drop the PwnRig miner and an IRC bot, but not before taking steps to evade detection by erasing log files and disabling cloud monitoring and software. of security.
In addition to achieving persistence via a cron job, the “loader uses the ‘masscan’ IP port scan tool to find other SSH servers on the network and then uses the GoLang-based SSH brute force tool ‘spirit ‘ to propagate,” Microsoft said.
The findings come after Akamai revealed that the Atlassian Confluence flaw is witnessing 20,000 exploit attempts a day that are launched from around 6,000 IP addresses, down from a peak of 100,000 shortly after the bug was disclosed on June 2. Sixty-seven percent of the attacks allegedly originated in the US.
“In the lead, commerce is the target of 38% of attacks, followed by high-tech and financial services sectors, respectively,” Akamai’s Chen Doytshman said last week. “These three main verticals represent more than 75% of the activities [do malware]. “Attacks range from vulnerability probes to determining whether the target system is susceptible to malware injection, such as web shells and crypto miners, the cloud security firm noted.
“What is particularly concerning is how much change this type of attack has seen in the last few weeks,” added Doytshman. “As we have seen with similar vulnerabilities, this CVE-2022-26134 will likely continue to be exploited for at least the next two years.”