Recently, security researchers found the first-ever crypto-mining worm ‘TeamTNT stealing AWS credentials. Read on to know more…
The frequent targeting of cloud and container environments are indicative of a vast attack surface for cybercriminals. Recently, Cado Security researchers have found a first-ever crypto-mining worm dubbed ‘TeamTNT’ containing Amazon Web Services (AWS) specific functionality. The gang behind this botnet, which Cado calls “TeamTNT,” originally targeted networks using vulnerable or unprotected Docker containers.
Now, however, it appears the botnet has been upgraded to target Kubernetes installations, according to the report from Cado. Kubernetes is the container orchestration tool platform developed and backed by Google.
About TeamTNT
Active since April 2020, TeamTNT has updated its mode of operation in mid-August. TeamTNT has added a new data-stealing feature that enables the attackers to scan and steal AWS credentials. It is the first botnet malware that is known to scan and steal AWS credentials.
The worm also steals local credentials and scans the internet for misconfigured Docker systems. So far, attackers have compromised many Docker and Kubernetes systems along with Kubernetes clusters and Jenkins build servers.
As per researchers, TeamTNT’s malware suite is an amalgamation of another worm named Kinsing as malware authors copy and paste their competitors’ code. The Kinsing worm was designed to bypass Alibaba Cloud security tools. In early April 2020, a bitcoin-mining campaign used the Kinsing malware to scan for misconfigured Docker APIs, then spin up Docker images and install itself.
Working Mechanism
Cado Security said that hackers used exposed files—containing plaintext credentials and configuration details for the underlying AWS account and infrastructure — as part of the attack. This allowed them to tap into Amazon’s extensive, and powerful, computing resources to mine Monero.
If the infected Docker container or Kubernetes installation runs on top of an AWS infrastructure, the botnet will then scan for unprotected credentials, make a copy of the username and password and then upload those to the command-and-control server operated by the cybercriminal gang, according to the report.
According to Cado — Once inside the compromised Docker container, the attackers planted the XMRig mining malware to mine for monero cryptocurrency. While it’s common for botnets to infect unprotected containers deployed in cloud infrastructures, the ability to upload and steal AWS credentials is unusual.
Repercussions
Besides acting as a botnet and a worm, TeamTNT uses the XMRig miner to mine Monero cryptocurrency. The worm also deploys several openly available malware and offensive security tools including punk.py, Diamorphine Rootkit, Tsunami IRC backdoor, and a log cleaning tool. Two different Monero wallets associated with these latest attacks have earned TeamTNT about 3 XMR (approx $300).
Concluding Points
MalwareHunterTeam has flagged the latest set of campaigns as a unique development. It is likely that other worms will start to copy the ability to steal AWS credentials. To thwart such attacks, organizations should consider reviewing their security configurations to protect AWS deployments from getting hijacked. Moreover, monitoring network traffic and using firewall rules to limit any access to Docker APIs is also recommended.