A total of 196 hosts have been infected as part of an aggressive cloud campaign being carried out by a group called TeamTNT Silentbob.
“Botnets run by TeamTNT have targeted Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter applications,” security researchers Aqua Ofek Itach and Assaf Morag said in a report shared with The Hacker News.
“The focus this time seems to be more on infecting systems and testing botnets, rather than using crypto miners for profit.”
The development arrives a week after the cloud security firm detailed an intrusion set linked to the TeamTNT group that targeted open APIs of JupyterLab and Docker to spread Tsunami malware and hijack system resources to run cryptocurrency miners.
Recent findings point to a broader campaign and greater use of attack infrastructure than previously thought, including various shell scripts to steal credentials, use SSH backdoors, download additional payloads, and release legitimate tools such as kubectl, NailAnd Pirate to conduct cloud environment reconnaissance.
The attack chain was realized through the deployment of rogue container images hosted on Docker Hub, designed to scan the internet for misconfigured examples and infect newly identified victims with Tsunami and worm scripts to co-opt more machines into the botnet.
“This botnet is very aggressive, proliferates quickly in the cloud and targets a wide variety of services and applications within the Software Development Life Cycle (SDLC),” the researchers said. “It operates at an impressive speed, demonstrating excellent scanning capabilities.”
Tsunami uses Internet Relay Chat (IRC) to connect to a command-and-control server (C2), which then issues commands to all infected hosts under its control, allowing the threat actor to maintain backdoor access.
What’s more, cryptomining execution is hidden using a rootkit called prochider to prevent it from being detected when a ps command run on a hacked system to fetch a list of active processes.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
“TeamTNT is currently scanning credentials across a variety of cloud environments, including AWS, Azure, and GCP,” the researchers said. This is the latest evidence that threat actors are improving their skills.
“They are not only looking for general credentials but also specific applications such as Grafana, Kubernetes, Docker Compose, Git access and NPM. Additionally, they search databases and storage systems such as Postgres, AWS S3, Filezilla, and SQLite. “
The development comes days after Sysdig disclosed a new attack mounted by SCARLETEEL to compromise AWS infrastructure with the aim of committing data theft and distributing cryptocurrency miners on compromised systems.
Despite the indirect link linking SCARLETEEL to TeamTNT, Aqua told The Hacker News that the intrusion set was actually related to the threat actor.
“This is another campaign by TeamTNT,” said Morag, principal data analyst on the Aqua Nautilus research team. “SCARLETEEL’s IP address, 45.9.148(.)221, used the other day on the C2 server of the TeamTNT IRC channel. The scripts are very similar and the TTP is the same. It seems that TeamTNT never stops attacking. If they ever retire, it’s only for a moment.”