The 8220 Gang is known to use a variety of tactics and techniques to hide their activities and evade detection. But it is not perfect and was caught attempting to infect one of Radware's Redis honeypots.
According to the 2022 Radware Threat Report, Redis was the fourth most scanned and exploited TCP port in Radware's Global Deception Network in 2022, up from the tenth position in 2021.
According to Radware head of research of cyber threat intelligence Daniel Smith, "The threat to cloud environments and insecure applications continues to pose risks to organisations around the world, especially those that use weak credentials or do not patch vulnerabilities immediately. Because of poor security hygiene, low-skilled groups like the 8220 Gang are able to cause a significant impact to targeted systems."
Why it matters
• It is not the first time Redis is subject to exploit activity by malicious gangs. Redis gained a lot of popularity among the criminal community in 2022 and is one of the services that should be looked after and not be exposed to the internet if not required.
• The main objective of the 8220 Gang is to compromise poorly secured cloud servers with a custom-built crypto miner and a Tsunami IRC bot, leaving companies to deal with the fallout:
• The main concern with crypto mining malware is that it can significantly impact a system's performance. But it can also expose systems to additional security risks. Once infected, threat actors can use the same access to install other types of malware, such as keyloggers or remote access tools, which can subsequently be leveraged to steal sensitive information, gain unauthorised access to sensitive data, or deploy ransomware and wipers.
• The Tsunami IRC is a bot used as backdoor, allowing the threat actors to remotely control systems and launch distributed denial-of-service (DDoS) attacks.
• Many organisations have limited visibility, making it more difficult for security and network operations to detect and respond to security threats.
• Public cloud providers offer limited security controls, making it easier for threat actors to find and exploit vulnerabilities.
For more details, please see Radware's threat advisory.