TeamTNT Reportedly Eyes Credentials of AWS, Google CloudGroup Uses Compromised Credentials to Attack Cloud Providers, Researchers Say
Cryptojacking group TeamTNT is leveraging compromised Amazon Web Services credentials to attack its cloud environments via the platform’s application programming interface, according to a report by Unit 42 at Palo Alto Networks.
“TeamTNT operations have targeted and, after compromise, exfiltrated AWS credentials, targeted Kubernetes clusters and created new malware called Black-T that integrates open-source cloud-native tools to assist in their cryptojacking operations,” the report says. Kubernetes is a container orchestration platform developed and backed by Google.
The cybercriminal gang is attempting to identify all identity and access management permissions, Elastic Compute Cloud instances, Simple Storage Service buckets, CloudTrail configurations and CloudFormation operations granted to the compromised AWS credentials, the report says.
An AWS spokesperson told Information Security Media Group that the reported activity was not a vulnerability on AWS. The company lists AWS security best practices and security best practices in IAM to help users secure their credentials.
Others Cloud-Based Apps Targeted
The cybercriminal organization, which has been evolving its cloud-focused cryptojacking operations, is also targeting the credentials of 16 other cloud-based applications, including Google Cloud, Docker, GitHub, Shodan, Ngrok, Pidgin, Filezilla, HexChat and Project Jupyter.
Its focus on Google Cloud marks the first known instance of an attacker group targeting IAM credentials on compromised cloud instances outside of AWS, the Palo Alto report says.
Google Cloud did not respond to ISMG’s request for comment.
In addition, TeamTNT has added the usage of the open-source Kubernetes and cloud penetration toolset Peirates to its reconnaissance operations, the Palo Alto report says.
“With these techniques available, TeamTNT actors are increasingly more capable of gathering enough information in target AWS and Google Cloud environments to perform additional post-exploitation operations. This could lead to more cases of lateral movement and potential privilege escalation attacks that could ultimately allow TeamTNT actors to acquire administrative access to an organization’s entire cloud environment,” the report says.
While credentials of Microsoft Azure, Alibaba Cloud, Oracle Cloud and IBM Cloud IAM may also have been targeted using similar methods, Palo Alto researchers say they have not yet found evidence supporting that proposition.
Separately, the researchers have identified one of TeamTNT’s malware repositories, which contains several bash scripts designed to perform cryptojacking operations, exploitation, lateral movement and credential-scraping operations. Dubbed Chimaera, the malware repository highlights the expanding scope of TeamTNT’s operations within cloud environments and a target set for current and future operations.
In a recent report, Trend Micro says that the threat actor has been scanning for and compromising Kubernetes clusters in the wild.
The report says it has compromised more than 50,000 IPs across multiple clusters between March and May, targeting both internet and cloud service providers in several countries, with a focus on China and the U.S.
Defense and Prevention
TeamTNT actors are specifically targeting cloud platforms to circumvent future security detection tools and embed themselves into the organization’s cloud environment, the Palo Alto report says.
“We recommend that organizations operating with cloud environments monitor for and block all network connections associated with TeamTNT’s Chimaera repository, as well as historic Command and Control (C2) endpoints. Using a cloud native security platform will significantly reduce the cloud infrastructure’s attack surface and allow organizations to monitor for risks,” the report says.