8220 Gang

Description

(Trend Micro) 8220 Gang (also known as “8220 Mining Group,” derived from their use of port 8220 for command and control or C&C communications exchange) has been active since 2017 and continues to scan for vulnerable applications in cloud and container environments. Researchers have documented this group targeting Oracle WebLogic, Apache Log4j, Atlassian Confluence vulnerabilities, and misconfigured Docker containers to deploy cryptocurrency miners in both Linux and Microsoft Windows hosts. The group was documented to have used Tsunami malware, XMRIG cryptominer, masscan, and spirit, among other tools in their campaigns.

Names

Name	Name-Giver
8220 Gang	Talos
8220 Mining Group	Talos
Returned Libra	Palo Alto
Water Sigbin	Trend Micro

Country

China

Motivation

Financial gain

First Seen

2017

Operations

2021-05: 8220 Gangs Recent use of Custom Miner and Botnet https://www.lacework.com/blog/8220-gangs-recent-use-of-custom-miner-and-botnet/
2022-07: 8220 Gang Massively Expands Cloud Botnet to 30,000 Infected Hosts https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/
2022-10: 8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads https://www.sentinelone.com/blog/8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads/
2022-11: 8220 Gang Continues to Evolve With Each New Campaign https://sysdig.com/blog/8220-gang-continues-to-evolve/
2023-05: 8220 Gang Evolves With New Strategies https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html

Information

Playbook

https://pan-unit42.github.io/playbook_viewer/?pb=returnedlibra

Other Information

Uuid

8384088d-a679-47bb-bff5-957830937ae3

Last Card Change

2024-08-26

Threat Intelligence Garden

Explorer

8220 Gang

8220 Gang

Description

Names

Country

Motivation

First Seen

Operations

Information

Playbook

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks