A Crypto mining group named 'The 8220' has enlarged in size to surround as many as 30,000 contaminated hosts, of which around 2,000 hosts are from global mid-21. The 8220 Troop is one of such low-skill cybercriminal gangs that have been noticed to infect cloud hosts and drive a botnet and cryptocurrency miners.
The growth is charged up through the use of Linux and common cloud application vulnerabilities and weak configurations for services such as Docker, Apache WebLogic, and Redis. Monero-mining threat actor (Chinese origin) was most recently seen targeting i686 and x86_64 Linux systems through weaponizing a recent remote code execution enterprise for Atlassian Confluence Server (CVE-2022-26134) to drop the PwnRig miner payload.
Victims are identified by their internet accessibility but not targeted geographically. The infection script is designed to abolish cloud security tools and carry out SSH brute-forcing via a list of 450 hard-coded credentials to further communicate laterally across the network.
These newer versions of the script are also known to commission blocklists to keep away from compromising specific hosts, such as honeypot servers that could flag their unlawful efforts. The PwnRig crypto miner, which is ground on the open-source Monero miner XMRig, has also received updates of its own as well, using a false FBI subdomain with an IP address pointing to a licit Brazilian federal government domain to make a rogue pond request and arcane the original destination of the generated money.
This attack led to the offset falling prices of cryptocurrencies. Last few years 8220 group has slowly developed their simple, yet effective, Linux infection scripts to enlarge a botnet and unlawful cryptocurrency miner. This group has recently expanded the botnet to nearly 30,000 victims globally over the weeks.