Defend Your Cloud: 8220 Gang Targets Linux & Windows

8220 Gang
Attack timeline

The notorious 8220 Gang has resurfaced, targeting cloud infrastructure in a campaign demonstrating significant advancements in their tactics, techniques, and procedures (TTPs). This ongoing campaign, active since May 2023, primarily focuses on cryptojacking for financial gain. Uptycs’ threat research team, delving into the intricate details of this campaign, sheds light on the sophisticated methodologies employed by the 8220 Gang.

Attack timeline | Image: Uptycs

Active since May 2023 and ongoing, the 8220 Gang’s campaign reveals a dangerous escalation. They now target both Linux and Windows cloud platforms with advanced tactics. Their exploitation of critical flaws (CVE-2021-44228, CVE-2022-26134) necessitates immediate action to safeguard against these persistent attacks.

The 8220 Gang’s approach in this campaign is characterized by its ingenuity and adaptability. Utilizing Windows PowerShell for fileless execution and deploying cryptominers, the gang has introduced novel techniques such as DLL sideloading and User Account Control (UAC) bypass to their arsenal. These methods not only enhance their stealth but also signify a profound shift in their operational tactics, setting this campaign apart from its predecessors.

The Windows-focused segment of their campaign reveals a sophisticated use of file and command-and-control (C&C) servers, designed to bypass antivirus and endpoint detection and response systems. Through a series of stages involving PowerShell scripts, batch scripts, and encrypted payloads, the 8220 Gang demonstrates a multifaceted approach to evading detection and securing persistence within targeted systems.

Though the Linux campaign showed no major innovations, it remains a critical component of their strategy, focusing on cryptojacking and employing updated versions of reconnaissance tools. The persistence and adaptability shown in targeting Linux servers underscore the gang’s commitment to exploiting every possible vector for their malicious activities.

The 8220 Gang’s latest campaign is a stark reminder of the ever-evolving landscape of cyber threats. Their shift towards more sophisticated tactics and techniques highlights an alarming advancement in cybercriminal capabilities, posing an increased risk to cloud security. Organizations must understand the nature of these attacks, and adapt their defense mechanisms to guard against such sophisticated threats.