Updated on 2022-10-17
SentinelOne said last week that 8220 Gang, an infamous cybercrime group that is known for targeting cloud-based infrastructure for cryptomining attacks, has updated its infrastructure and attack methods and is now targeting misconfigured versions of Docker, Apache, and WebLogic servers. In a previous report in July, SentinelOne said the gang infected more than 30,000 cloud servers by exploiting known vulnerabilities and via brute-force attacks. Read more:
- 8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads
- From the Front Lines | 8220 Gang Massively Expands Cloud Botnet to 30,000 Infected Hosts
Microsoft has a Twitter thread on the recent activities of the 8220 Gang, a cryptocurrency-mining group active since early 2021. Microsoft says the group has been recently seen exploiting vulnerabilities like CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access against Linux systems, confirming similar observations from Check Point earlier this month.
We observed notable updates to the long-running malware campaign targeting Linux systems by a group known as the 8220 gang. The updates include the deployment of new versions of a cryptominer and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability.
— Microsoft Security Intelligence (@MsftSecIntel) June 29, 2022