Since July, 8220 Gang shifted to using 7, and then in early September 2022 rotated its infrastructure to 79.110.6223, primarily relying on two previously reported domains letmakertop and oracleservicetop.Ĩ220 Gang also makes use of a miner proxy at 39. This is simply a new iteration of 8220 Gang attempting to do so. As the threat landscape evolves, we can expect threat actors to seek new methods to thwart defenses, hide their campaigns, and generally attempt to increase attack success. It is unsurprising to discover 8220 Gang experimenting with new loaders and miners alongside their traditional exploitation attempts against publicly exposed services. One clear example is the miner ee6787636ea66f0ecea9fa2a88f800da806c3ea6 being delivered post-compromise. The use of Discord URLs can also be observed for the download of illicit minors. The downloader then beacons back following the injectors image extension URLs. Windows systems targeted by 8220 Gang have been served by the PureCrypter downloader through the group’s traditional C2 infrastructure, most commonly 7. PureCrypter is a loader service available for a low cost since 2021 and has been observed distributing a large variety of commodity malware. We have observed 8220 Gang using the PureCrypter Malware-as-a-service. The objective of the infection attempts continues to be growing the botnet and expanding cryptocurrency hosts mining when possible. The vulnerabilities exploited are usually far from fresh – such as with CVE-2019-2725 – the Oracle Weblogic vulnerability being exploited to download the installer script, e.g., 871f38fd4299b4d94731745d8b33ae303dcb9eaa. The top victims recently communicating as miner bots are exposed Ubiquiti Unifi Cloud Keys running outdated Network Controller software or Prometheus container monitoring systems. 8220 Gang is known to make use of SSH brute force attacks post-infection for the purposes of lateral movement inside a compromised network. Publicly-accessible hosts running Docker, Confluence, Apache WebLogic, and Redis can easily be discovered and attacked with little technical know-how. Victims are typically using cloud infrastructure such as AWS, Azure and similar with misconfigured instances that allow remote attackers to gain access. The majority of active victims are still operating outdated or misconfigured versions of Docker, Apache, WebLogic, and various Log4J vulnerable services.Ĩ220 Gang identifies targets via scanning for misconfigured or vulnerable hosts on the public internet. Misconfiguration Key to Infection AttemptsĮxploit attempts from 8220 Gang continue at a pace consistent with our previous reporting. In recent weeks, the group has rotated its attack infrastructure and continued to absorb compromised hosts into its botnet and to distribute cryptocurrency mining malware. We noted that 8220 Gang had expanded its cloud service botnet to an estimated 30,000 hosts globally. In July of 2022 we reported on 8220 Gang, one of the many low-skill crimeware gangs we observe infecting cloud hosts through known vulnerabilities and remote access brute forcing infection vectors.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |