Cybersecurity researchers have discovered the attack infrastructure used as part of a “high potential campaign” against cloud-native environments.
“This infrastructure is in the early stages of testing and deployment, and is especially consistent with an aggressive cloud worm designed to deploy on open JupyterLab and Docker APIs to spread Tsunami malware, cloud credential hijacking, resource hijacking, and further infestation of the worm.” ,” cloud security firm Aqua said.
The activity, dubbed Silentbob referring to an attacker-managed AnonDNS domain, said to be linked to a well-known cryptojacking group traced to as TeamTNT, citing overlap in tactics, techniques, and procedures (TTP). However, the involvement of “advanced copycats” has not been ruled out.
Aqua’s investigation was sparked after an attack targeting its honeypot in early June 2023, leading to the discovery of four malicious container images designed to detect exposed Docker and Jupyter Lab instances and deploy cryptocurrency miners and the Tsunami backdoor.
This feat is achieved through shell scripts that are programmed to be launched when the container is started and used to implement Go-based Take scanner to find misconfigured servers. Docker has since removed the image from the public registry. List of pictures below –
- shanidmk/jltest2 (44 pulls)
- shanidmk/jltest (8 pulls)
- shanidmk/sysapp (11 pulls)
- shanidmk/wad (29 pulls)
shanidmk/sysapp, in addition to running a cryptocurrency miner on the infected host, is configured to download and run additional binaries, which Aqua says could either be a backup crypto miner or the Tsunami malware.
🔐 Privileged Access Management: Learn How to Beat Key Challenges
Discover different approaches to conquering Privileged Account Management (PAM) challenges and enhance your privileged access security strategy.
Also downloaded by the container is a file named “aws.sh.txt”, a script likely designed to systematically scan the environment for AWS keys for subsequent exfiltration.
Aqua said it found 51 servers with open instances of JupyterLab in the wild, all of which were either actively exploited or showing signs of exploitation by threat actors. This includes “a direct manual attack on any of the servers using mass scanning to scan open Docker APIs.”
“Initially, the attacker identifies a misconfigured server (either Docker API or JupyterLab) and deploys the container or uses the Command Line Interface (CLI) to scan and identify additional victims,” said security researchers Ofek Itach and Assaf Morag.
“This process is designed to spread the malware across a growing number of servers. The secondary payload of this attack includes crypto miners and backdoors, the latter of which uses the Tsunami malware as its weapon of choice.”