As many as 196 hosts have been contaminated as a part of an aggressive cloud marketing campaign mounted by the TeamTNT group known as Silentbob.
“The botnet run by TeamTNT has set its sights on Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter purposes,” Aqua safety researchers Ofek Itach and Assaf Morag mentioned in a report shared with The Hacker Information.
“The main target this time appears to be extra on infecting programs and testing the botnet, fairly than deploying cryptominers for revenue.”
The event arrives per week after the cloud safety firm detailed an intrusion set linked to the TeamTNT group that targets uncovered JupyterLab and Docker APIs to deploy the Tsunami malware and hijack system assets to run a cryptocurrency miner.
The newest findings recommend a broader marketing campaign and using a bigger assault infrastructure than beforehand thought, together with numerous shell scripts to steal credentials, deploy SSH backdoors, obtain extra payloads, and drop reliable instruments like kubectl, Pacu, and Peirates to conduct reconnaissance of the cloud setting.
The assault chains are realized by the deployment of rogue container photos hosted on Docker Hub, that are designed to scan the web for misconfigured situations and infect the newly recognized victims with Tsunami and a worm script to co-opt extra machines right into a botnet.
“This botnet is notably aggressive, quickly proliferating throughout the cloud and focusing on a big selection of providers and purposes inside the Software program Growth Life Cycle (SDLC),” the researchers mentioned. “It operates at a powerful pace, demonstrating outstanding scanning functionality.”
Tsunami makes use of the Web Relay Chat (IRC) protocol to connect with the command-and-control (C2) server, which then points instructions to all of the contaminated hosts beneath its management, thereby permitting the risk actor to take care of backdoor entry.
What’s extra, the cryptomining execution is hidden utilizing a rootkit known as prochider to forestall it from being detected when a ps command is run on the hacked system to retrieve the checklist of energetic processes.
Defend Towards Insider Threats: Grasp SaaS Safety Posture Administration
Nervous about insider threats? We have got you coated! Be a part of this webinar to discover sensible methods and the secrets and techniques of proactive safety with SaaS Safety Posture Administration.
“TeamTNT is scanning for credentials throughout a number of cloud environments, together with AWS, Azure, and GCP,” the researchers mentioned. It is the most recent proof that the risk actors are upgrading their tradecraft.
“They don’t seem to be solely in search of basic credentials but in addition particular purposes resembling Grafana, Kubernetes, Docker Compose, Git entry, and NPM. Moreover, they’re looking for databases and storage programs resembling Postgres, AWS S3, Filezilla, and SQLite.”
SCARLETEEL Tied to TeamTNT
The event comes days after Sysdig disclosed a brand new assault mounted by SCARLETEEL to compromise AWS infrastructure with the objective of conducting knowledge theft and distributing cryptocurrency miners on compromised programs.
Whereas there have been circumstantial hyperlinks connecting SCARLETEEL to TeamTNT, Aqua instructed The Hacker Information that the intrusion set is in reality linked to the risk actor.
“That is one other marketing campaign by TeamTNT,” Morag, lead knowledge analyst at Aqua Nautilus analysis group, mentioned. “The SCARLETEEL IP handle, 45.9.148[.]221, was used simply days in the past in TeamTNT’s IRC channel C2 server. The scripts are very related and the TTPs are the identical. It appears like TeamTNT by no means stopped attacking. In the event that they ever retired, it was just for a quick second.”