The 8220 Gang, a Chinese threat organization that operates for profit, was the subject of a threat bulletin from Radware today. Using a specially created crypto miner and IRC bot, the group, also known as the 8220 Mining Group has started the New Year by focusing on apps with insufficient security and public cloud settings.
The 8220 Gang is well recognized for employing a range of strategies and methods to conceal their operations and avoid capture. It was discovered attempting to infect one of Radware’s Redis honeypots; thus, it could be more flawless. Redis was the fourth-most, according to the Radware Threat Report for 2022. In Radware’s Global Deception Network, TCP port scanning and exploitation rose to the ninth spot in 2022 from the tenth in 2021.
More Threats Posed By Cloud Environments
Daniel Smith, the director of research for Radware’s cyber threat intelligence, “Organizations all over the world are still at danger from the threat posed by cloud environments and unsecured applications, particularly those who use weak passwords or delay patching vulnerabilities. Low-skilled gangs like the 8220 Gang can significantly harm targeted systems due to bad security hygiene.”
One service that should be protected and kept off the internet if not necessary is Redis, which the criminal community found to be quite popular in 2022. Malicious gangs have used Redis as a target for exploit operations before. The 8220 Gang’s main goal is to penetrate weakly protected cloud servers using a specially created Tsunami IRC bot and a crypto miner departing businesses to cope with the consequences:
Crypto mining malware’s primary drawback is that it can adversely affect a system’s performance. But it can also increase the security dangers that systems are subject to. Once a system has been compromised, threat actors can use the same access to install further keyloggers and remote access tools. These are examples of malware which can be used to steal sensitive data, obtain unauthorized access to sensitive data, or utilize ransomware and wipers.
The Tsunami IRC bot is a backdoor that gives threat actors access to systems from a distance and enables them to conduct distributed denial-of-service (DDoS) assaults. Due to the low visibility of many companies, it is more challenging for network operations and security to identify and address security issues. Limited security measures provided by public cloud providers make it simpler for threat actors to identify and exploit vulnerabilities.
What Chinese 8220 Gang Choose To Focus On
The main goal of the 8220 Gang is to penetrate weakly protected cloud servers with a specially developed crypto miner and a Tsunami IRC bot, leaving businesses to cope with the consequences. Malware that is used for crypto mining poses the most significant risk because it can negatively affect system performance.
Additionally, it can put systems at risk for other security issues, and once infected, threat actors can use that access to install different kinds of malware. The threat actors can utilize keyloggers and remote access tools to steal sensitive data, obtain unauthorized access to sensitive data, or spread ransomware and wipers.
The Tsunami bot is a backdoor used by the 8220 Gang to remotely control systems and conduct distributed denial-of-service (DDoS) assaults. According to Radware, it is increasingly more challenging for security and network operators to identify and address security issues because many organizations need better visibility.
Additionally, the minimal security controls offered by public cloud providers make it simpler for threat actors to identify and exploit vulnerabilities.
Conclusion
The 8220 Gang, Chinese for-profit threat group that has been active since the start of the year and targets public cloud environments, is the subject of a security advisory from Radware. The group, also known as the 8220 Mining Group, employs a specially created crypto miner and IRC bot to conduct attacks, targeting applications with weak security. The 8220 Gang use a number of tactics to conceal their actions and avoid being discovered. The group’s abilities could be better though, as Radware discovered when it tried to infect one of their Redis honeypots. The fourth-most scanned and exploited TCP port in Radware’s Global Deception Network last year was Redis, up from the tenth spot in 2021, according to the 2022 Radware Threat Report.
