A cryptomining gang known as 8220 Gang has been exploiting Linux and cloud app vulnerabilities to grow their botnet to more than 30,000 infected hosts.
The low-skilled, financially-motivated actor infects AWS, Azure, GCP, Alitun, and QCloud hosts after targeting publicly available systems running vulnerable versions of Docker, Redis, Confluence, and Apache.
The gang has added new things to the script used to expand their botnet, a piece of code that is sufficiently stealthy despite lacking dedicated detection evasion mechanisms. The 8220 Gang now uses a new version of its custom cryptominer, PwnRig, which is based on the open-source Monero miner XMRig.
In the latest version of PwnRig, the miner uses a fake FBI subdomain with an IP address pointing to a Brazilian federal government domain to create a fake pool request and obscure the real destination of the generated money.
The group has begun using a dedicated file for the management of the SSH brute forcing step, which contains 450 hardcoded credentials corresponding to a broad range of Linux devices and apps. After gaining access, the attackers use SSH brute forcing to spread further and hijack available computational resources to run cryptominers pointing to untraceable pools.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
