As many as 196 hosts were infected as part of an aggressive cloud campaign staged by the TeamTNT group. silent bob.
Ofek Itach and Assaf Morag, security researchers at Aqua, said, “The botnet operated by TeamTNT includes Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and We have our sights set on Jupyter applications.” The report was shared with The Hacker News.
“This time, the focus seems to be on infecting systems and testing botnets rather than deploying cryptominers for profit.”
The development details an intrusion set linked to the TeamTNT group in which a cloud security firm targeted exposed JupyterLab and Docker APIs to deploy the Tsunami malware, hijack system resources, and run a cryptocurrency miner. Arrived after a week from.
The latest findings point to a wider campaign than previously thought and the use of legitimate tools such as kubectl, Pacu, and Peirates to steal credentials, deploy SSH backdoors, download additional payloads, and conduct reconnaissance. Suggests the use of a large attack infrastructure, including various shell scripts for the purpose of dropping. cloud environment.
This attack chain is accomplished through the deployment of malicious container images hosted on Docker Hub. The image is designed to scan the internet for misconfigured instances and infect newly identified victims with her Tsunami and worm scripts to bring more machines into the botnet. increase.
“This botnet is particularly aggressive, proliferating rapidly across the cloud and targeting a wide range of services and applications within the software development lifecycle (SDLC),” said the researchers. “It works amazingly fast and has excellent scanning capabilities.”
Tsunami uses the Internet Relay Chat (IRC) protocol to connect to command and control (C2) servers and issue commands to all infected hosts under its control. This allows threat actors to maintain backdoor access.
Additionally, the cryptomining execution is hidden using a rootkit called prochider to go undetected when running the ps command on a hacked system to get a list of active processes. increase.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
“TeamTNT scans credentials across multiple cloud environments, including AWS, Azure, and GCP,” the researchers said. This is the latest evidence that threat actors are upgrading their technology.
“They are not only looking for generic credentials, but also specific applications such as Grafana, Kubernetes, Docker Compose, Git access, NPM, etc. Additionally, databases and storage systems such as Postgres, AWS S3, Filezilla, SQLite, etc. looking for. “
The development comes just days after Sysdig uncovered a new attack launched by SCARLETEEL to compromise AWS infrastructure with the goal of performing data theft and distributing cryptocurrency miners to compromised systems. was done later.
Although there was a contextual connection linking SCARLETEEL and TeamTNT, Aqua told The Hacker News that the intrusion set was actually associated with threat actors.
“This is another TeamTNT campaign,” said Morag, principal data analyst for the Aqua Nautilus research team. “SCARLETEEL IP address, 45.9.148[.]221 was used on TeamTNT’s IRC channel C2 server just a few days ago. The scripts are very similar and so is the TTP. It seems TeamTNT never stopped attacking. Even if they retired, it was only for a moment. ”
