Today, Radware issued a threat advisory about a for-profit threat group from China called the 8220 Gang. The gang, also known as 8220 Mining Group, has rolled
into the New Year targeting public cloud environments and poorly secured applications, using a custom-built crypto miner
and IRC bot.
The 8220 Gang is known to use a variety of tactics and techniques to hide their activities and evade detection. But it
is not perfect and was caught attempting to infect one of Radware's Redis honeypots.
Big picture
According to the 2022 Radware Threat Report, Redis was the fourth most scanned and exploited TCP port in Radware's
Global Deception Network in 2022, up from the 10th position in 2021.
According to Daniel Smith, head of research of cyber threat intelligence at Radware, "The threat to cloud environments
and insecure applications continues to pose risks to organizations around the world, especially those that use weak
credentials or do not patch vulnerabilities immediately. Because of poor security hygiene, low-skilled groups like the
8220 Gang are able to cause a significant impact to targeted systems."
Why it matters
* It is not the first time Redis is subject to exploit activity by malicious gangs. Redis gained a lot of popularity
among the criminal community in 2022 and is one of the services that should be looked after and not be exposed to the
internet if not required.
* The main objective of the 8220 Gang is to compromise poorly secured cloud servers with a custom-built crypto miner and
a Tsunami IRC bot, leaving companies to deal with the fallout:
* The main concern with crypto mining malware is that it can significantly impact a system's performance. But it can
also expose systems to additional security risks. Once infected, threat actors can use the same access to install other
types of malware, such as keyloggers or remote access tools, which can subsequently be leveraged to steal sensitive
information, gain unauthorized access to sensitive data, or deploy ransomware and wipers.
* The Tsunami IRC is a bot used as backdoor, allowing the threat actors to remotely control systems and launch
distributed denial-of-service (DDoS) attacks.
* Many organizations have limited visibility, making it more difficult for security and network operations to detect and
respond to security threats.
* Public cloud providers offer limited security controls, making it easier for threat actors to find and exploit
vulnerabilities.
What's next?
For more details, please see Radware's threat advisory<https://www.radware.com/WorkArea/DownloadAsset.aspx?ID=b3c730be-dc42-4979-bf3a-89ebf0e0c6bd>.