Cybersecurity researchers say a Chinese for-profit threat group tracked as 8220 Gang is targeting cloud providers and poorly secured applications with a custom-built crypto miner and IRC bot.
The group employs a variety of tactics and techniques to hide their activities and evade detection, including the use of a blocklist to avoid tripping over honeypots. “Yet, the group is not perfect and was caught attempting to infect one of Radware’s Redis honeypots at the beginning of this year,” according to cybersecurity firm Radware.
The threat groups specializing in crypto mining campaigns target public cloud environments for several reasons including public cloud environments because they offer potential targets with sufficient or elastic computing resources, researchers say.
“Many organizations have limited visibility, making it more difficult for security and network operations to detect and respond to security threats, and the public cloud providers also offer limited security controls, making it easier for threat actors to find and exploit vulnerabilities,” researchers say.
The attackers used a custom crypto miner, ‘PwnRig’ that slows down systems using CPU and GPU resources. This also causes devices to become unresponsive, causing elastic compute nodes to expand their resources, ultimately resulting in “a huge, unexpected invoice for the victim at the end of the billing cycle.”
