A new warning has been issued by Microsoft’s Security Intelligence against a known cloud threat actor group.
What’s this threat actor?
- The malware gang known as 8220 has infiltrated Linux servers in order to install cryptocurrency miners. It has apparently been active since the first half of 2017.
- The changes include the introduction of fresh iterations of an IRC bot and a cryptominer.
- Over the past year, the group has actively upgraded its payloads and tactics.
Targets so far
As reported by Microsoft, the malware’s latest targets are i686 and x86_64 Linux systems.
How does the malware operate?
- Remote code execution exploits for CVE-2022-26134 (Atlassian Confluence Server) and CVE-2019-2725 (Oracle WebLogic) are used by the threat actor to get initial access.
- A loader is downloaded after initial access.
- By deleting log files and turning off cloud security and monitoring technologies, this loader can avoid discovery.
- Microsoft Defender for Endpoint's tamper protection features assist safeguard security settings.
- The pwnRig cryptominer and an IRC bot that executes commands from a command-and-control (C2) server would subsequently be downloaded by the loader.
Conclusion
With the malware threat looming large, the only way for organizations to protect their networks against this threat is to proactively secure their systems and servers, apply updates, and use good credential hygiene.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/8ba6_shutterstock_268449968.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/f47f_shutterstock_1414136747.jpg)
