HackDig : Dig high-quality web security articles

A long-running cryptomining campaign conducted by 8220 hackers now targets Linux servers

2022-07-01 11:10

Microsoft spotted a cloud threat actor tracked as 8220 that is now targeting Linux servers in a long-running cryptomining campaign.

Microsoft Security Intelligence experts are warning of a long-running campaign conducted by a cloud threat actor group, tracked as 8220, that is now targeting Linux servers to install crypto miners.

“We observed notable updates to the long-running malware campaign targeting Linux systems by a group known as the 8220 gang.” reads one of the tweets published by Microsoft Security Intelligence “The updates include the deployment of new versions of a cryptominer and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability.”

The 8220 group has been active since at least 2017, it focuses on cryptomining campaigns. The threat actors are Chinese-speaking, the names of the group come for the port number 8220 used by the miner to communicate with the C2 servers.

According to Microsoft researchers, the group has actively updated its techniques and payloads over the last year. In a recent campaign, the group targeted i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Atlassian Confluence) and CVE-2019-2725 (WebLogic) for initial access.

Once gained access to a target system, an evasive loader is downloaded from jira[.]letmaker[.]top. The loader eludes detection by clearing log files and disabling cloud monitoring and security tools.

The loader is used to download the pwnRig crpytominer (v1.41.0) and an IRC bot that runs commands from a C2 server. In orIt maintains persistence by creating either a cronjob or a script that runs every 60 seconds as nohup.

Microsoft urges organizations to secure systems and servers, apply updates, and use good credential hygiene to protect their networks. Microsoft Defender for Endpoint on Linux detects malicious behaviors and payloads related to this campaign.

The IT giant also shared indicators of compromise (IoCs) for this campaign.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, 8220)

The post A long-running cryptomining campaign conducted by 8220 hackers now targets Linux servers appeared first on Security Affairs.

Source: lmth.ngiapmac-gninimotpyrc-0228/emirc-rebyc/777231/sserpdrow/oc.sriaffaytiruces

Read:552 | Comments:0 | Tags:Breaking News Cyber Crime Digital ID Hacking Malware 8220 ha

“A long-running cryptomining campaign conducted by 8220 hackers now targets Linux servers”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)
Tell me why you support me <3

Tag Cloud