As part of an ongoing campaign, a cloud threat actor group known as 8220 has improved the malware toolset it uses to breach Linux servers. The group's objective is to install cryptocurrency miners using these tools.
In a series of tweets published on Thursday, Microsoft Security Intelligence stated that the updates "include the deployment of new versions of a crypto miner and an IRC bot." Over the course of the past year, the organization has made numerous efforts to improve both its methods and its payloads.
8220 is a Chinese-speaking Monero mining threat actor that has been active since the beginning of 2017. It got its name from the fact that the actor prefers to communicate with command-and-control (C2) servers over port 8220. In addition to this, it is the creator of a piece of software known as whatMiner, which is used by the Rocke cybercrime group in the attacks that they launch.
The Alibaba Cloud Security Team uncovered an additional shift in the adversary's tactics in the month of July 2019, noting that the adversary was using rootkits to hide the mining program that it was using. After a period of two years, the group reappeared with modified versions of the Tsunami IRC botnet as well as a specialized "PwnRig" miner.
According to Microsoft, the most recent campaign that targeted i686 and x86 64 Linux systems was seen utilizing remote code execution exploits for recently disclosed vulnerabilities in Atlassian Confluence Server (CVE-2022-26134) and Oracle WebLogic (CVE-2019-2725) for initial access. This information comes from Microsoft's observation of the campaign.
After this step is complete, a malware loader is retrieved from a remote server. This malware loader is intended to drop a PwnRig miner along with an IRC bot. However, this step is not completed until after steps to avoid detection have been taken, such as deleting log files and turning off cloud monitoring and security software.
According to Microsoft, the "loader uses the IP port scanner tool'masscan' to find other SSH servers in the network, and then uses the GoLang-based SSH brute force tool'spirit' to propagate." This is in addition to the use of a cron job, which allows the malware to remain persistent.
The findings come as Akamai disclosed that the Atlassian Confluence flaw is seeing a consistent 20,000 exploitation attempts per day that are launched from approximately 6,000 IPs. This is a decrease from the peak of 100,000 exploitation attempts that occurred immediately after the bug was disclosed on June 2, 2022. It is believed that the United States was the point of origin for 67 percent of the attacks.
According to comments made by Akamai's Chen Doytshman earlier this week, "in the lead, commerce accounts for 38 percent of the attack activity," followed by "high tech" and "financial services" respectively. More than seventy-five percent of the activity can be attributed to these top three verticals.
According to the cloud security company, the attacks range from vulnerability probes to determine if the target system is susceptible to injection of malware such as web shells and crypto miners. These probes are used to determine if the target system is vulnerable to these types of attacks.
"What is particularly concerning is how much of a shift upward this attack type has garnered over the past several weeks," Doytshman added. "This attack type has garnered a lot of attention over the past few weeks." "Just like we have seen in the past with other vulnerabilities of this type, it is highly likely that CVE-2022-26134 will continue to be exploited for at least the next couple of years."
Post a Comment
Your suggestions and comments are welcome