8️⃣

8220 Gang

Tags

Cryptojacking

Attribution

💰Cybercrime

Incidents

8820 Gang targeting WebLogic 8220 Gang targeting Confluence 8220 Gang exploiting Log4Shell 8220 Gang Exploiting WebLogic Vulnerabilities for Cryptojacking

References

https://twitter.com/MsftSecIntel/status/1542281805549764608https://sysdig.com/blog/8220-gang-continues-to-evolve/https://blog.talosintelligence.com/cryptomining-campaigns-2018/https://asec.ahnlab.com/en/51568/https://www.sentinelone.com/blog/soc-team-essentials-how-to-investigate-and-track-the-8220-gang-cloud-threat/https://www.sentinelone.com/blog/8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads/

Last edited

May 23, 2024 10:20 AM

Status

Finalized

Cloud-fluent

The group known as the 8220 gang, thought to originate from China, was initially discovered by Cisco Talos in 2017. They targeted applications like Drupal, Hadoop YARN, and Apache Struts2 to spread cryptojacking malware. Over time, different researchers have continuously reported on how this group's methods have changed, revealing their evolving tactics, techniques, and procedures (TTPs). This includes their exploitation of vulnerabilities in Confluence and Log4j. Most recently, Trend Micro revealed that the group has been using the Oracle WebLogic vulnerability CVE-2017-3506 to infect specific systems.