Microsoft’s Security Intelligence team has issued a new warning against a known cloud threat actor (TA) group.
Tracked as 8220 and active since early 2017the group would have now updated its malware toolset to breach Linux servers in order to install crypto miners as part of a long-running campaign.
“The updates include the deployment of new versions of a cryptominer and an IRC bot, as well as the use of an exploit for a recently disclosed vulnerability,” the technology giant wrote in a Twitter thread on Thursday.
“The group has actively updated its techniques and payloads over the last year.”
According to Microsoft, the most recent campaign now targets i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Atlassian Confluence Server) and CVE-2019-2725 (Oracle WebLogic) for initial access.
“After initial access, a loader is downloaded,” explained the security experts. “This loader evades detection by clearing log files and disabling cloud monitoring and security tools. Tamper protection capabilities in Microsoft Defender for Endpoint help protect security settings. ”
The loader would then download the pwnRig crpytominer and an IRC bot that runs commands from a command-and-control (C2) server. It would then maintain persistence by creating either a cronjob or a script running every 60 seconds as nohup.
According to Microsoft, the malware also features self-propagating capabilities.
The loader uses the IP port scanner tool ‘masscan’ to find other SSH servers in the network and then uses the GoLang-based SSH brute force tool ‘spirit’ to propagate. It also scans the local disk for SSH keys to move laterally by connecting to known hosts. ”
To protect networks against this threat, Microsoft said organizations should secure systems and servers, apply updates, and use good credential hygiene.
“Microsoft Defender for Endpoint on Linux detects malicious behaviors and payloads related to this campaign.”
The news comes days after Akamai suggested the Atlassian Confluence flaw is currently witnessing 20,000 exploitation attempts per day, launched from about 6,000 IPs.
For context, the number represents a substantial decrease when compared to the peak of 100,000 the company witnessed upon the bug disclosure on June 02 2022.