Tags
Cryptojacking
Attribution
💰Cybercrime
Incidents
8820 Gang targeting WebLogic8220 Gang targeting Confluence8220 Gang exploiting Log4Shell8220 Gang Exploiting WebLogic Vulnerabilities for Cryptojacking
References
https://twitter.com/MsftSecIntel/status/1542281805549764608https://sysdig.com/blog/8220-gang-continues-to-evolve/https://blog.talosintelligence.com/cryptomining-campaigns-2018/https://asec.ahnlab.com/en/51568/https://www.sentinelone.com/blog/soc-team-essentials-how-to-investigate-and-track-the-8220-gang-cloud-threat/https://www.sentinelone.com/blog/8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads/
Last edited
Oct 14, 2024 12:59 PM
Status
Finalized
Cloud-fluent
The group known as the 8220 gang, thought to originate from China, was initially discovered by Cisco Talos in 2017. They targeted applications like Drupal, Hadoop YARN, and Apache Struts2 to spread cryptojacking malware. Over time, different researchers have continuously reported on how this group's methods have changed, revealing their evolving tactics, techniques, and procedures (TTPs). This includes their exploitation of vulnerabilities in Confluence and Log4j. Most recently, Trend Micro revealed that the group has been using the Oracle WebLogic vulnerability CVE-2017-3506 to infect specific systems. Victims are not targeted geographically but simply identified by their internet accessibility.