Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers


A group of cloud threat actors tracked as 8220 have updated their malicious toolset to breach Linux servers in a bid to install crypto-miners in a long-running campaign .

“Updates include rolling out new versions of a crypto-miner and an IRC bot,” Microsoft Security Intelligence said in a series of tweets on Thursday. “The group has been actively updating its techniques and payloads over the past year.”

8220, active since early 2017, is a Chinese Monero mining threat actor so named for its preference to communicate with command and control (C2) servers on port 8220. It is also the developer of a tool called whatMiner , which was co-opted by cybercriminal group Rocke into their attacks.

In July 2019, the Alibaba Cloud Security team discovered an additional change in the adversary’s tactics, noting their use of rootkits to hide the mining program. Two years later, the gang resurfaced with Tsunami IRC botnet variants and a custom “PwnRig” miner.

Now, according to Microsoft, the most recent campaign hitting i686 and x86_64 Linux systems has been observed weaponizing remote code execution exploits for the recently unveiled Atlassian Confluence server (CVE-2022-26134) and Oracle WebLogic (CVE-2019-2725) for initial access. .

This step is followed by retrieving a malware loader from a remote server designed to remove the PwnRig miner and an IRC bot, but not before taking steps to evade detection by clearing log files and by disabling cloud monitoring and security software.

In addition to achieving persistence by means of a cron job, the “loader uses the ‘masscan’ IP port scanner tool to find other SSH servers in the network and then uses the brute force tool SSH based on GoLang ‘spirit’ to spread,” Microsoft said.

cyber security

The findings come as Akamai revealed that the Atlassian Confluence flaw is witnessing 20,000 exploit attempts per day that are launched from approximately 6,000 IP addresses, up from a spike of 100,000 immediately after the bug was disclosed. June 2, 2022. 67% of attacks come from the United States

“In the lead, commerce accounts for 38% of attack activity, followed by high tech and financial services, respectively,” Akamai’s Chen Doytshman said this week. “These three main verticals represent more than 75% of the activity.”

The attacks range from vulnerability probes to determining whether the target system is susceptible to injecting malware such as web shells and crypto-miners, the cloud security firm noted.

“What is particularly concerning is the magnitude of the upward shift in this type of attack over the past few weeks,” Doytshman added. “As we have seen with similar vulnerabilities, this CVE-2022-26134 will likely continue to be exploited for at least the next two years.”


About Author

Comments are closed.