8220 Gang | |
Other Names | 8220 Mining Group, Returned Libra |
Location | China |
Date of initial activity | 2017 |
Suspected attribution | GitHub fork of the Rocke group's software |
Motivation | Financial Gain |
Associated tools | Tsunami malware, XMRIG cryptominer (PwnRig, DBUsed), masscan, spirit, PureCrypter MaaS |
Overview
The 8220 Gang, also known as Returned Libra Mining Group, is a cloud threat actor group that has been active since at least 2017. The name derived from their use of port 8220 for command and control or C&C communications exchange. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. The 8220 mining group is believed to have originated from a GitHub fork of the Rocke group’s software. 8220 Gang has elevated its mining operations with the use of cloud service platform credential scrapping.
Common targets
Victims of 8220 Gang are typically, but not exclusively, users of cloud networks (AWS, Azure, GCP, Aliyun, QCloud) operating vulnerable and misconfigured Linux applications and services. Victims are not targeted geographically but simply identified by their internet accessibility. The group appears to be opportunistic when selecting their targets, with no clear trend in country or industry.
Attack Vectors
The group infects cloud hosts through known vulnerabilities and remote access brute forcing infection vectors.
How they operate
The 8220 Gang is an active threat group known for scanning and exploiting vulnerabilities in cloud and container environments. They specifically target applications such as Oracle WebLogic, Apache Log4j, Atlassian Confluence, and misconfigured Docker containers. Their objective is to exploit these vulnerabilities and deploy cryptocurrency mining software on compromised systems.
To carry out their attacks, the gang uses various tools includingTsunami malware, XMRIG cryptominer, masscan, and spirit. These tools assist them in identifying and exploiting weaknesses in the targeted applications.
Attacks make use of SSH brute forcing post-infection to automate local and global spreading attempts. Victims using cloud infrastructure (AWS, Azure, GCP, Aliyun, QCloud) are often infected via publicly accessible hosts running Docker, Confluence, Apache WebLogic, and Redis.
In their attack payload, the gang employs a PowerShell script that is responsible for downloading and creating additional files needed for the attack. As well as the recently disclosed use of CVE-2021-44228 and CVE-2017-3506, the group’s attempted exploitation of CVE-2020-14883, a Remote Code Execution vulnerability in Oracle WebLogic Server, to propagate malware.
Surprisingly, despite its age, the vulnerability still exists in some systems, making it a valuable target for the gang.
Their ultimate goal is to install and execute a cryptocurrency miner on the compromised systems. They achieve this by injecting an encrypted resource file into the MS Build process and communicating with their command-and-control (C&C) servers. The C&C servers provide
instructions and deliver the necessary files for the cryptocurrency mining operation.
References:
- Connecting the dots between recently active cryptominers
- 8220 Gang Deploys a New Campaign with Upgraded Techniques
- From the Front Lines | 8220 Gang Massively Expands Cloud Botnet to 30,000 Infected Hosts
- 8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads
- Old Cyber Gang Uses New Crypter – ScrubCrypt
- 8220 Gang Exploiting Vulnerabilities in Cloud Environments for Cryptocurrency Mining
- 8220 Gang Evolves With New Strategies
- Imperva Detects Undocumented 8220 Gang Activities
- 8220 Gang Cryptomining Campaign Targets Linux & Windows Platforms
