"This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies"

The 8220 cryptomining group has grown to include up to 30,000 infected hosts, up from 2,000 hosts globally in mid-2021. According to SentinelOne, this group is one of many low-skill crimeware gangs continously observed infecting cloud hosts, running a botnet, and operating cryptocurrency miners via known vulnerabilities and remote access brute forcing infection vectors. The use of Linux and common cloud application vulnerabilities, as well as poorly secured configurations for services such as Docker, Apache WebLogic, and Redis, are said to have fueled the growth. The Chinese-speaking Monero-mining threat actor has been active since early 2017, most recently targeting i686 and x86 64 Linux systems by weaponizing a recent remote code execution exploit for Atlassian Confluence Server (CVE-2022-26134) to drop the PwnRig miner payload. In addition to running the PwnRig cryptocurrency miner, the infection script is programmed to remove cloud security tools and perform SSH brute-forcing using a list of 450 hard-coded credentials in order to spread laterally across the network. Newer versions of the script are also known to use blocklists to avoid compromising specific hosts, such as honeypot servers, which could alert them to their illegal activities. The PwnRig cryptominer, which is based on the open source Monero miner XMRig, has also received updates, creating a rogue pool request and concealing the true destination of the generated money by using a fake FBI subdomain with an IP address pointing to a legitimate Brazilian federal government domain. This article continues to discuss the growth of the 8220 cryptomining group.

THN reports "This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies"