China-based threat group targeting public cloud - Radware
Radware has issued a threat advisory about a for-profit threat group from China known as the 8220 Gang, who has emerged in the New Year targeting public cloud environments.
Also known as 8220 Mining Group, the gang carries out its attacks using a custom-built crypto miner and IRC bot, also targeting poorly secured applications.
The 8220 Gang uses various strategies to hide their activities and evade being detected.
However, the group’s skills are not perfect, and Radware caught it attempting to infect one of its Redis honeypots.
The 2022 Radware Threat Report notes that Redis was the fourth most scanned and exploited TCP port in Radware’s Global Deception Network last year, up from the 10th position in 2021.
“The threat to cloud environments and insecure applications continues to pose risks to organisations around the world, especially those that use weak credentials or do not patch vulnerabilities immediately,” says Daniel Smith, Cyber Threat Intelligence Research Head, Radware.
“Because of poor security hygiene, low-skilled groups like the 8220 Gang are able to cause a significant impact to targeted systems.”
Radware notes this is not the first time malicious gangs have exploited Redis, with the in-memory data structure store becoming a hot topic in the criminal community in 2022.
Radware notes it is one of the services that should be looked after and only exposed to the internet if absolutely necessary.
The 8220 Gang’s main objective is to compromise poorly secured cloud servers with a custom-built crypto miner and a Tsunami IRC bot, leaving companies to deal with the fallout.
The main concern with crypto mining malware is that it can severely impact system performance.
Further, it can expose systems to more security risks and once infected, threat actors are able to use that same access to install other types of malware.
This includes keyloggers and remote access tools, which the threat actors can then use to steal sensitive information, gain unauthorised access to sensitive data, or deploy ransomware and wipers.
The 8220 Gang uses the Tsunami bot as a backdoor, allowing the threat actors to control systems remotely and launch distributed denial-of-service (DDoS) attacks.
Radware notes that because many organisations have limited visibility, it is more difficult for security and network operators to detect and respond to security threats.
Additionally, public cloud providers offer limited security controls, making it easier for threat actors to find and exploit vulnerabilities.
Radware’s threat advisory about the 8220 Gang comes after the cyber security and application delivery solutions firm released its First Half 2022 Global Threat Analysis Report, finding a significant increase in DDoS activity across the globe in the first six months of the year.
Attacks ranged from cases of hacktivism to terabit attacks in Asia and the United States.