Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,198
- Points
- 113
The group "8220", engaged in cryptomining, took advantage of vulnerabilities in Linux and cloud applications to create a large botnet with more than 30 thousand infected hosts.
In general, the participants of "8220" can be described as low-skilled, but financially motivated cybercriminals. The group attacks AWS, Azure, GCP, Alitun, and QCloud hosts, using holes in vulnerable versions of Docker, Redis, Confluence, and Apache. Previously, attackers used a publicly available exploit to compromise Confluence servers.
After gaining access, the group uses brute force to select SSH credentials. In this way, hackers move further and launch cryptominers that mine digital currency at the expense of the victim's computing resources.
The 8220 group has been active since at least 2017. Despite the fact that the level of training and knowledge of hackers leaves much to be desired, they managed to increase the serious scale of their campaigns. This is yet another example of how low-skilled cybercriminals can be dangerous.
The latest "8220" campaign was analyzed by SentinelLabs specialists, who noted innovations in a malicious script that is used to create a botnet. This piece of code turned out to be quite hidden, although it does not have standard mechanisms for avoiding detection.
Since the end of June, attackers have been using a special file for SSH brute-forcing, which contains 450 hard-coded credentials. The botnet operators also added a block list to the script to exclude certain hosts from the attack chain. This stop list mainly contains the honeypots of cybersecurity researchers.
In addition, it is worth noting that the group uses a new version of the custom cryptominer — PwnRig, based on the open source Monero miner — XMRig. The latest version of PwnRig uses a fake FBI subdomain with an IP address pointing to a Brazilian state resource.
• Source: https://www.sentinelone.com/blog/fr...expands-cloud-botnet-to-30000-infected-hosts/
----
Security researchers have revealed new details of an operation for unauthorized cryptocurrency mining (cryptojacking) conducted by the 8220 Gang, using vulnerabilities in Oracle WebLogic Server.
Experts from Trend Micro reported in their latest report that attackers use file-less execution techniques, such as Reflective DLL Loading. This allows malware to run exclusively in memory, avoiding detection on disk.
The 8220 Gang, also known as Water Sigbin, frequently exploits vulnerabilities in Oracle WebLogic Server, including CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839. These security flaws are used to obtain initial access, as well as to directly load the cryptominer.
After successful penetration, attackers run a PowerShell script that loads the first stage of the loader ("wireguard2-3.exe"). This file disguises itself as a legitimate WireGuard VPN application, but actually runs a different executable file ("cvtres.exe") directly in memory using DLL ("Zxpus.dll").
This executable file is used to get the PureCrypter loader ("Tixrgtluffu.dll"), which sends system information to a remote server and creates scheduled tasks in the system to activate the miner, as well as adds malicious files to Microsoft Defender antivirus exceptions.
The command server responds with an encrypted message containing configuration data for XMRig, after which the loader extracts and executes the miner from the domain controlled by the attackers. The miner itself is disguised as a legitimate Microsoft binary file ("AddinProcess.exe").
Experts note that this method allows attackers to effectively hide from traditional detection and protection methods. Using fileless techniques makes it difficult to detect and remove malware.
In addition to exploiting vulnerabilities in Oracle WebLogic Server, the 8220 Gang is also known for exploiting other vulnerabilities to achieve its goals. Their methods are constantly being improved, which makes the group's attacks more sophisticated and dangerous.
The main target of these hackers are servers with insufficient protection and old updates, which makes them easy prey for attackers. Companies are advised to carefully check and update their security systems to avoid such attacks.
• Source: https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html
In general, the participants of "8220" can be described as low-skilled, but financially motivated cybercriminals. The group attacks AWS, Azure, GCP, Alitun, and QCloud hosts, using holes in vulnerable versions of Docker, Redis, Confluence, and Apache. Previously, attackers used a publicly available exploit to compromise Confluence servers.
After gaining access, the group uses brute force to select SSH credentials. In this way, hackers move further and launch cryptominers that mine digital currency at the expense of the victim's computing resources.
The 8220 group has been active since at least 2017. Despite the fact that the level of training and knowledge of hackers leaves much to be desired, they managed to increase the serious scale of their campaigns. This is yet another example of how low-skilled cybercriminals can be dangerous.
The latest "8220" campaign was analyzed by SentinelLabs specialists, who noted innovations in a malicious script that is used to create a botnet. This piece of code turned out to be quite hidden, although it does not have standard mechanisms for avoiding detection.
Since the end of June, attackers have been using a special file for SSH brute-forcing, which contains 450 hard-coded credentials. The botnet operators also added a block list to the script to exclude certain hosts from the attack chain. This stop list mainly contains the honeypots of cybersecurity researchers.
In addition, it is worth noting that the group uses a new version of the custom cryptominer — PwnRig, based on the open source Monero miner — XMRig. The latest version of PwnRig uses a fake FBI subdomain with an IP address pointing to a Brazilian state resource.
• Source: https://www.sentinelone.com/blog/fr...expands-cloud-botnet-to-30000-infected-hosts/
----
Security researchers have revealed new details of an operation for unauthorized cryptocurrency mining (cryptojacking) conducted by the 8220 Gang, using vulnerabilities in Oracle WebLogic Server.
Experts from Trend Micro reported in their latest report that attackers use file-less execution techniques, such as Reflective DLL Loading. This allows malware to run exclusively in memory, avoiding detection on disk.
The 8220 Gang, also known as Water Sigbin, frequently exploits vulnerabilities in Oracle WebLogic Server, including CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839. These security flaws are used to obtain initial access, as well as to directly load the cryptominer.
After successful penetration, attackers run a PowerShell script that loads the first stage of the loader ("wireguard2-3.exe"). This file disguises itself as a legitimate WireGuard VPN application, but actually runs a different executable file ("cvtres.exe") directly in memory using DLL ("Zxpus.dll").
This executable file is used to get the PureCrypter loader ("Tixrgtluffu.dll"), which sends system information to a remote server and creates scheduled tasks in the system to activate the miner, as well as adds malicious files to Microsoft Defender antivirus exceptions.
The command server responds with an encrypted message containing configuration data for XMRig, after which the loader extracts and executes the miner from the domain controlled by the attackers. The miner itself is disguised as a legitimate Microsoft binary file ("AddinProcess.exe").
Experts note that this method allows attackers to effectively hide from traditional detection and protection methods. Using fileless techniques makes it difficult to detect and remove malware.
In addition to exploiting vulnerabilities in Oracle WebLogic Server, the 8220 Gang is also known for exploiting other vulnerabilities to achieve its goals. Their methods are constantly being improved, which makes the group's attacks more sophisticated and dangerous.
The main target of these hackers are servers with insufficient protection and old updates, which makes them easy prey for attackers. Companies are advised to carefully check and update their security systems to avoid such attacks.
• Source: https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html
