TeamTNT’s Cloud Credential Theft Campaign Now Targets Azure and Google Cloud
Bad actors have been linked to a June 2023 cloud credential theft campaign that focused on Azure and Google Cloud Platform (GCP) services, marking an expansion of adversaries in targeting beyond Amazon Web Services (AWS).
The findings originate Sentinel One And Permissionwhich said that “the campaign shares similarities with tools associated with the notorious TeamTNT cryptojacking crew”, though emphasized that “attribution remains challenging with script-based tools.”
They also overlap with an ongoing TeamTNT campaign disclosed by Aqua called Silentbob which utilized a misconfigured cloud service to release malware as part of what it said was a testing effort, while also linking SCARLETEEL attacks to threat actors, citing infrastructure similarities.
“TeamTNT is scanning credentials across multiple cloud environments, including AWS, Azure, and GCP,” said Aqua.
The attack, which selects a public-facing Docker instance to deploy wormlike propagation modules, is a continuation of a series of earlier intrusions previously targeted Jupyter notebooks in December 2022.
A total of eight incremental versions of the credential harvesting script have been found between June 15, 2023 and July 11, 2023, indicating an actively growing campaign.
Newer versions of the malware are designed to collect credentials from AWS, Azure, Google Cloud Platform, Censys, Docker, Filezilla, Git, Grafana, Kubernetes, Linux, Ngrok, PostgreSQL, Redis, S3QL, and SMB. The harvested credentials are then extracted to a remote server under the control of the threat actor.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
SentinelOne says the credential collection logic and targeted files are similar to a Kubelet targeting campaigns conducted by TeamTNT in September 2022.
Alongside shell script malware, threat actors have also been observed distributing Golang-based ELF binaries that act as scanners to deploy malware to vulnerable targets. The binary further drops a Golang network scanning utility called Zgrab.
“This campaign demonstrates the evolution of experienced cloud actors with familiarity across multiple technologies,” said security researchers Alex Delamotte, Ian Ahl, and Daniel Bohannon. “Careful attention to detail shows that the actor has gone through a lot of trial and error.”
“The actor is actively tuning and improving their tools. Based on the adjustments observed over the last few weeks, the actor is likely preparing for a larger scale campaign.”
