TeamTNT has been actively improving on its specialization of targeting cloud-based infrastructure for several months to mine cryptocurrency. Recently, it has upgraded its arsenal to target the credentials of multiple cloud-native applications, some of which are commonly used by a large number of enterprises.
TeamTNT’s main target has been Monero wallets and configuration files. Now it has started stealing credentials for cloud-native tools, which it uses for illegitimate cryptojacking operations.
- According to a Palo Alto report, TeamTNT is targeting the credentials of 16 cloud-based applications, including AWS and Google Cloud credentials.
- Compromised AWS credentials are used to enumerate the compromised AWS cloud environment, and discover elements such as S3 buckets, EC2 instances, CloudTrail configurations, and IAM Permissions.
- In addition, it searches for Docker, Shodan, Filezilla, Pidgin, GitHub, Ngrok, and Project Jupyter credentials. Moreover, the attacker started leveraging the Kubernetes and cloud penetration testing tool Peirates.
Besides Palo Alto, the malicious activities of TeamTNT targeting various cloud-based services have been observed by other agencies as well.
- A recent report from TrendMicro revealed that the threat actor has targeted more than 50,000 IPs across multiple clusters in the U.S., China, and several other countries, targeting several internet service providers and cloud service providers.
- Moreover, TeamTNT has designed an extended Credential Harvester malware that targets Linux systems via exposed private keys and recycled passwords. It can steal cloud-related files from the infected system.
The bottom line
TeamTNT actors are continuously enhancing their capabilities to penetrate cloud-based infrastructure, specifically Google Cloud, AWS, Kubernetes, and other popular services. Therefore, organizations are recommended to proactively block the network connections and C2 endpoints associated with TeamTNT.