30,000 systems hijacked to mine cryptocurrencies.
A crypto mining gang called 8220 Gang has been exploiting Linux and cloud app vulnerabilities to grow their botnet to more than 30,000 infected hosts.
The group is a low-skilled, financially-motivated actor that infects AWS, Azure, GCP, Alitun, and QCloud hosts after targeting publicly available systems running vulnerable versions of Docker, Redis, Confluence, and Apache.
The gang relied on a publicly available exploit to compromise Confluence servers in their earlier attacks. After gaining access, the attackers use SSH brute forcing to spread further and hijack available computational resources to run cryptominers pointing to untraceable pools.
The 8220 Gang that has been active since at least 2017 is not considered particularly sophisticated, but the sudden increase in infection numbers suggests how dangerous and impactful these lower tier actors can still be.
The latest campaign was observed and analyzed by SentinelLabs, and in that 8220 Gang has added new piece of code to the script used to expand their botnet, that is sufficiently stealthy despite lacking dedicated detection evasion mechanisms.
The group started using a dedicated file for the management of the SSH brute forcing step, which contains 450 hardcoded credentials corresponding to a broad range of Linux devices and apps.
They also started using block lists in the script to exclude specific hosts from infections, mostly concerning honeypots set up by security researchers.
Finally, 8220 Gang now uses a new version of its custom cryptominer, PwnRig, which is based on the open-source Monero miner XMRig.