The National Cyber Security Centre (NCSC) has highlighted that Microsoft’s Security Intelligence team has uncovered “notable updates” to malware targeting Linux systems to install cryptomining malware.
The group behind the malware, known as the “8820 gang”, has been active since 2017. Their most recent campaign has been targeting i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 and CVE-2019-2725 for initial access (Atlassian Confluence Server and Oracle WebLogic, respectively).
Microsoft also revealed that the malware features self-propagating capabilities:
“The loader uses the IP port scanner tool “masscan” to find other SSH servers in the network, and then uses the GoLang-based SSH brute force tool “spirit” to propagate. It also scans the local disk for SSH keys to move laterally by connecting to known hosts.”
To protect against this threat, Microsoft recommends that organisations should secure systems and servers, apply updates, and use good credential hygiene.
They also have guidance available for organisations, both public and private sector, to help them mitigate against malware infection and what to do should they find themselves already infected.