The 8220 cryptomining group has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021.
“8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors,” Tom Hegel of SentinelOne said in a Monday report.
The growth is said to have been fuelled through the use of Linux and common cloud application vulnerabilities and poorly secured configurations for services such as Docker, Apache WebLogic, and Redis.
Active since early 2017, the Chinese-speaking, Monero-mining threat actor was most recently seen targeting i686 and x86_64 Linux systems by means of weaponizing a recent remote code execution exploit for Atlassian Confluence Server (CVE-2022-26134) to drop the PwnRig miner payload.
“Victims are not targeted geographically, but simply identified by their internet accessibility,” Hegel pointed out.
images from Hacker News