Chinese threat actor 8220 Gang has been found enhancing its attack techniques to launch sophisticated cryptomining attacks. The group is well known for using tactics and techniques borrowed from TeamTNT, Rocke, and WatchDog cybercriminal gangs.
Some of the tactics involve using malicious Docker images and exploiting Struts2, Redis, and Weblogic servers. More recently, the gang was found exploiting Linux and cloud app vulnerabilities to expand its botnet and cryptomining attacks.
What’s the latest update?
While the gang continues to scan the internet for vulnerable applications, changes have been observed in the execution stages.
Some of these attacks leveraged vulnerable Oracle Weblogic servers, and the other campaign attacked a vulnerable Apache web server.
Unlike the previous campaign that involved the reuse of C2 infrastructure, 8220 Gang has upgraded to consistently changing its C2 IP addresses.
The gang is also using the ‘onacroner’ script for the first time, something that has been previously used by the Rocke cryptomining group.
More information
Threats against public cloud environments continue to be a security concern as Radware issued a threat advisory against the gang.
The cybersecurity firm highlighted that low-skilled groups such as 8220 Gang are able to cause a significant impact because of poor security hygiene.
The gang’s main objective is to compromise poorly secured cloud servers with a custom-built cryptominer and a Tsunami IRC bot.
Furthermore, it can expose systems to more security risks, and once infected, threat actors are able to use the same access to install other malware.
Conclusion
8220 Gang has been evolving its TTPs to conceal its actions and avoid detections. Organizations must set aside budgets to adequately secure cloud environments against DDoS and cryptomining attacks. Moreover, they can leverage threat intelligence platforms to track IOCs and understand the attack patterns of the attackers.