Security News > 2022 > July > This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies

The 8220 cryptomining group has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021.

"8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors," Tom Hegel of SentinelOne said in a Monday report.

Active since early 2017, the Chinese-speaking, Monero-mining threat actor was most recently seen targeting i686 and x86 64 Linux systems by means of weaponizing a recent remote code execution exploit for Atlassian Confluence Server to drop the PwnRig miner payload. "Victims are not targeted geographically, but simply identified by their internet accessibility," Hegel pointed out.

Besides executing the PwnRig cryptocurrency miner, the infection script is also designed to remove cloud security tools and carry out SSH brute-forcing via a list of 450 hard-coded credentials to further propagate laterally across the network.

"Over the past few years 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner," Hegel concluded.

"The group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally."

News URL

https://thehackernews.com/2022/07/this-cloud-botnet-has-hijacked-30000.html