Microsoft’s Security Intelligence team have issued a new warning against a known cloud threat actor group.
Active since early 2017 and tracked as 8220, the group have now updated its malware toolset to breach Linux servers to install crypto miners as part of a long-running campaign.
On Thursday, Microsoft wrote in a Twitter thread, “the updates include the deployment of new versions of a cryptominer and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability.”
“The group has actively updated its techniques and payloads over the last year.”
According to the tech giant, the most recent campaign now targets i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Atlassian Confluence Server) and CVE-2019-2724 (Oracle WebLogic) for initial access.
The security experts said, “after initial access, a loader is downloaded. This loader evades detection by clearing log files and disabling cloud monitoring and security tools. Tamper protection capabilities in Microsoft Defender for Endpoint help protect security settings.”
The loader would then download the pwnRig cryptominer an an IRC bot that runs command from a command-and-control (C2) server. It would then maintain persistence by creating either a cronjob or a script running every 60 seconds as nohup.
Reportedly, the malware also features self-propagating capabilities.
“The loader uses the IP port scanner tool ‘masscan’ to find other SSH servers in the network and then uses the GoLang-based SSH brute force tool ‘spirit’ to propagate. It also scans the local disk for SSH keys to move laterally by connecting to known hosts.”
Microsoft said that, in order to protect their networks against this threat, organisations should secure systems and servers, apply updates, and use good credential hygiene.
“Microsoft Defender for Endpoint on Linux detects malicious behaviours and payloads related to this campaign.”
This news comes shortly after Akamai suggested that the Atlassian Confluence flaw is currently witnessing 20,000 exploitation attempts per day, launched from about 6,000 IPs.
For context, the number represents a large decrease when compared to the peak of 100,000 the company witnessed upon the bug disclosure on 2nd June 2022.