8220 Gang Exploits Atlassian Zero-Day for Cyptomining

CheckPoint has identified attackers exploiting Atlassian Confluence and Data Center’s recently patched vulnerability CVE-2022-26134 to install cryptominers targeting Linux and Windows endpoints. 8220 is the the cybercriminal gang associated with this attack. The exploitation of this vulnerability often occurs a few days after attackers have scanned for vulnerable targets. Once targets have been identified the corresponding malware is downloaded onto the victim’s platform based on its operating system. In the Windows attack chain, the attacker utilizes PowerShell commands and scripts to initiate the attack. Reconnaissance activity with wmi, identified the system's architecture to download the necessary payload. The download executables would run on hosts, creating persistence in the start-up folder and utilize system resources for cryptomining.