Hacker gang ‘8220’ expands cloud botnet to more than 30,000 hosts
On Tuesday, A crypto mining gang known as ‘8220’ Gang has been exploiting Linux and cloud app vulnerabilities to grow their botnet to more than 30,000 infected hosts.
According to Bleeping Computer, the group is a low-skilled, financially-motivated actor that infects AWS, Azure, GCP, Alitun, and QCloud hosts after targeting publicly available systems running vulnerable versions of Docker, Redis, Confluence, and Apache.
After having access, the attackers use SSH brute forcing to spread further and hijack available computational resources to execute crypto miners that point to untraceable pools.
The gang has been active since at least 2017 and isn’t considered particularly sophisticated, but the immediate explosion in infection numbers marks how dangerous and impactful these lower-tier actors can still be when they’re devoted to their goals.
“In the latest campaign, observed and analyzed by SentineLabs, the 8220 Gang has added new things to the script used to expand their botnet, a piece of code that is sufficiently stealthy despite lacking dedicated detection evasion mechanisms,” a source as per Bleeping Computer.
Starting late last month, the group began using a dedicated file for the management of the SSH brute forcing step that contains 450 hardcoded credentials corresponding to a broad range of Linux devices and apps.