Recently, researchers discovered and confirmed that nearly 50,000 IPs to have been compromised by TeamTNT across various clusters. Read on to know more about it…
For several months, TeamTNT has been working to improve their specialization in mining cryptocurrency using cloud-based infrastructure. It recently improved its arsenal to target the credentials of several cloud-native applications, some of which are widely utilised by enterprises.
This attack was important since it was the first time attackers had targeted IAM credentials on compromised cloud instances outside of Amazon Web Services (AWS). Although TeamTNT may still use similar tactics to target the IAM credentials of Microsoft Azure, Alibaba Cloud, Oracle Cloud, or IBM Cloud, Unit 42 researchers have yet to unearth evidence of an attack on the other cloud providers. As early as August 2020, TeamTNT began gathering AWS credentials from cloud instances they had hacked.
According to Palo Alto’s Unit 42 researchers in a blog post, the threat group had targeted Kubernetes clusters and created a new malware called Black-T that incorporates open source cloud-native tools to advance its cryptojacking activities.
Cloud Based Attacks
Monero wallets and configuration files have become TeamTNT’s key targets. It has now begun stealing credentials for cloud-native tools, which it employs in unauthorised cryptojacking operations.
TeamTNT is reportedly targeting the credentials of 16 cloud-based applications, including AWS and Google Cloud credentials, according to a Palo Alto report.
Compromised AWS credentials are utilised to discover elements such as S3 buckets, EC2 instances, CloudTrail configurations, and IAM Permissions in the compromised AWS cloud environment. Additionally, it looks for credentials of Docker, Shodan, Filezilla, Pidgin, GitHub, Ngrok, and Project Jupyter. Furthermore, the attacker begins using Peirates, a Kubernetes and cloud penetration testing tool.
Other agencies have observed TeamTNT’s malicious operations targeting numerous cloud-based services in addition to Palo Alto.
According to a recent report by TrendMicro, the threat actors has targeted more than 50,000 IP addresses across numerous clusters in the United States, China, and other countries, including numerous internet service providers and cloud service providers.
In addition, TeamTNT has developed an extended Credential Harvester malware that targets Linux computers using exposed private keys and recycled passwords. It has the ability to steal cloud-related files from infected systems.
The cybercriminal gang TeamTNT is scraping AWS IAM and Google Cloud credentials, according to Palo Alto Networks’ Unit 42, albeit the gang is still primarily focused on cryptomining.
“The presence of Google Cloud credentials being targeted for collections represents the first known instance of an attacker group targeting IAM credentials on compromised cloud instances outside of AWS. While it is still possible that Microsoft Azure, Alibaba Cloud, Oracle Cloud or IBM Cloud IAM credentials could be targeted using similar methods, Unit 42 researchers have yet to find evidence of credentials from these cloud service providers (CSPs) being targeted. TeamTNT first started collecting AWS credentials on cloud instances they had compromised as early as August 2020.”
Threat actors in TeamTNT are constantly improving their ability to penetrate cloud-based infrastructure, such as Google Cloud, Amazon Web Services, Kubernetes, and other prominent services. As a result, it is suggested that organisations proactively block network connections and C2 endpoints associated with TeamTNT.