Tags
Cryptojacking
Attribution
💰Cybercrime
Incidents
References
https://twitter.com/MsftSecIntel/status/1542281805549764608https://sysdig.com/blog/8220-gang-continues-to-evolve/https://blog.talosintelligence.com/cryptomining-campaigns-2018/https://asec.ahnlab.com/en/51568/https://www.sentinelone.com/blog/soc-team-essentials-how-to-investigate-and-track-the-8220-gang-cloud-threat/https://www.sentinelone.com/blog/8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads/
Last edited
May 23, 2024 10:20 AM
Status
Finalized
Cloud-fluent
The group known as the 8220 gang, thought to originate from China, was initially discovered by Cisco Talos in 2017. They targeted applications like Drupal, Hadoop YARN, and Apache Struts2 to spread cryptojacking malware. Over time, different researchers have continuously reported on how this group's methods have changed, revealing their evolving tactics, techniques, and procedures (TTPs). This includes their exploitation of vulnerabilities in Confluence and Log4j. Most recently, Trend Micro revealed that the group has been using the Oracle WebLogic vulnerability CVE-2017-3506 to infect specific systems.