Looks like the lesser-known TeamTNT is emerging from the shadows. The group, primarily known for its cryptomining operations, has revamped its TTPs to leave a widespread impact. Initially, there was little to differentiate them from other hacker groups carrying out these types of attacks. However, over the past several months, the group has evolved its modus operandi and is infecting widely used cloud services.
- When TeamTNT first came under the scanner of researchers, it was found targeting Docker systems that were configured incorrectly and had management-level API with no password protection process.
- Once inside the network, the hackers would deploy servers that would carry out DDoS and cryptomining operations.
Capturing their latest attack trends
- Lately, Unit 42 researchers observed a new variant of Black-T cryptojacking malware associated with the TeamTNT group. The new malware variant that targets vulnerable Docker daemon APIs includes three network scanning tools to simplify the operation of the group.
- In early September, the group was also held responsible for using a legitimate tool called Weave Scope to establish fileless backdoors on targeted Docker and Kubernetes clusters. The tool worked as a medium for attackers, enabling them to gain access to victims’ server environment without being detected by security checks.
- A first of its kind cryptomining campaign associated with the group - that included the ability to steal AWS credentials - was observed in mid-August. The campaign was executed using a new worm dubbed ‘TeamTNT’ and an XMRig Monero miner.
To sum it up
The recently observed attack campaigns against cloud instances imply that TeamTNT has invested time and effort to improve their attack techniques. They have even enhanced detection evasion techniques to conceal communication with their C2 servers, while, in turn, making the attacks last longer. Therefore, organizations should opt for the best cloud security practices to prevent falling victim to such attacks.