Malicious actors have been implicated in a June 2023 cloud credential theft campaign focused on Azure and Google Cloud Platform (GCP) services, with the attackers targeting Amazon Web Services ( AWS) and beyond.
The findings are from SentinelOne and Permiso, who both say that “the campaign shares similarities with tools attributed to the infamous TeamTNT cryptojacking gang,” but that “script-based tools don’t allow attribution.” It remains difficult to identify,” he said.
These also overlap with an ongoing TeamTNT campaign called Silentbob, which Aqua revealed. The campaign leverages misconfigured cloud services to drop malware as part of what is said to be a testing effort, while citing infrastructure commonalities to link the SCARLETEEL attack with threat actors. increase.
“TeamTNT scans credentials across multiple cloud environments, including AWS, Azure, and GCP,” noted Aqua.
The attack, which identifies public Docker instances to deploy a worm-like propagation module, is a continuation of an intrusion set that previously targeted Jupyter Notebook in December 2022.
Between June 15th, 2023 and July 11th, 2023, eight incremental versions of the credential harvesting script were discovered, demonstrating an active campaign.
New versions of this malware are designed to harvest credentials from AWS, Azure, Google Cloud Platform, Censys, Docker, Filezilla, Git, Grafana, Kubernetes, Linux, Ngrok, PostgreSQL, Redis, S3QL, SMB . Harvested credentials are exfiltrated to remote servers under the threat actor’s control.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
SentinelOne said the credential harvesting logic and targeted files were similar to TeamTNT’s campaign targeting Kubelet in September 2022.
In addition to shell script malware, threat actors have also been observed distributing Golang-based ELF binaries that act as scanners to propagate malware to vulnerable targets. This binary also drops a Golang network scanning utility called Zgrab.
Security researchers Alex Deramott, Ian Earl, and Daniel Bohannon said, “This campaign shows the evolution of many tech-savvy and seasoned crowd actors.” “The meticulous attention to detail shows that the actors have clearly gone through a lot of trial and error.”
“The actor is actively tuning and improving their tools. Based on the adjustments we have observed over the past few weeks, it is likely that the actor is preparing for a large-scale campaign.”
