A cloud threat actor group tracked as 8220 has updated its malware toolset to breach Linux servers with the goal of installing crypto miners as part of a long-running campaign.
"The updates include the deployment of new versions of a crypto miner and an IRC bot," Microsoft Security Intelligence said in a series of tweets on Thursday. "The group has actively updated its techniques and payloads over the last year."
8220, active since early 2017, is a Chinese-speaking, Monero-mining threat actor so named for its preference to communicate with command-and-control (C2) servers over port 8220. It's also the developer of a tool called whatMiner, which has been co-opted by the Rocke cybercrime group in their attacks.
In July 2019, the Alibaba Cloud Security Team uncovered an extra shift in the adversary's tactics, noting its use of rootkits to hide the mining program. Two years later, the gang resurfaced with Tsunami IRC botnet variants and a custom "PwnRig" miner.
Now according to Microsoft, the most recent campaign striking i686 and x86_64 Linux systems has been observed weaponizing remote code execution exploits for the freshly disclosed Atlassian Confluence Server (CVE-2022-26134) and Oracle WebLogic (CVE-2019-2725) for initial access.
This step is succeeded by the retrieval of a malware loader from a remote server that's designed to drop the PwnRig miner and an IRC bot, but not before taking steps to evade detection by erasing log files and disabling cloud monitoring and security software.
Besides achieving persistence by means of a cron job, the "loader uses the IP port scanner tool 'masscan' to find other SSH servers in the network, and then uses the GoLang-based SSH brute force tool 'spirit' to propagate," Microsoft said.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
The findings come as Akamai revealed that the Atlassian Confluence flaw is witnessing a steady 20,000 exploitation attempts per day that are launched from about 6,000 IPs, down from a peak of 100,000 in the immediate aftermath of the bug disclosure on June 2, 2022. 67% of the attacks are said to have originated from the U.S.
"In the lead, commerce accounts for 38% of the attack activity, followed by high tech and financial services, respectively," Akamai's Chen Doytshman said this week. "These top three verticals make up more than 75% of the activity."
The attacks range from vulnerability probes to determine if the target system is susceptible to injection of malware such as web shells and crypto miners, the cloud security company noted.
"What is particularly concerning is how much of a shift upward this attack type has garnered over the last several weeks," Doytshman added. "As we have seen with similar vulnerabilities, this CVE-2022-26134 will likely continue to be exploited for at least the next couple of years."