Researchers Say ‘TeamTNT’ Targeting Docker and Kubernetes Installations
A recently uncovered cryptomining botnet now also has the capability to steal Amazon Web Services user credentials, according to the security firm Cado.
The gang behind this botnet, which Cado calls “TeamTNT,” originally targeted networks using vulnerable or unprotected Docker containers. Now, however, it appears the botnet has been upgraded to target Kubernetes installations, according to the report from Cado. Kubernetes is the container orchestration tool platform developed and backed by Google.
See Also: OnDemand Webinar | Fraud in the IVR
If the infected Docker container or Kubernetes installation runs on top of an AWS infrastructure, the botnet will then scan for unprotected credentials, make a copy of the username and password and then upload those to the command-and-control server operated by the cybercriminal gang, according to the report.
While it’s common for botnets to infect unprotected containers deployed in cloud infrastructures, the ability to upload and steal AWS credentials is unusual, according to Cado.
“It’s the first worm we’ve seen that contains such AWS-specific functionality,” the researchers note. “The worm also steals local credentials and scans the internet for misconfigured Docker platforms. We have seen the attackers, who call themselves ‘TeamTNT,’ compromise a number of Docker and Kubernetes systems.”
The Cado reports note that, so far, the cybercriminal gang apparently hasn’t attempted to sell any stolen AWS credentials or use them to support the cryptomining scheme.
The TeamTNT gang was spotted earlier this year by security firm Trend Micro and other security researchers.
In the first cases detected, the cybercriminals apparently scanned for Docker containers that were either misconfigured or left exposed to the internet and then planted malware to expand their botnet, according to the Trend Micro report.
Once inside the compromised Docker container, the attackers planted the XMRig mining malware to mine for monero cryptocurrency, according to Cado (see: ‘FritzFrog’ P2P Botnet Targets SSH Servers).
So far, Cado has found two digital wallets associated with the TeamTNT gang that contain a total of about $300 worth of monero, but the report notes that there could be other wallets associated with unknown attacks and infected networks.
Other Cloud-Based Cyrptomining Schemes
Over the past several months, researchers have uncovered a number of cryptomining campaigns targeting cloud platforms and containers.
In June, researchers at Palo Alto Networks’ Unit 42 discovered a cryptomining campaign that used malicious Docker images to hide cryptocurrency mining code (see: Hackers Used Malicious Docker Images to Mine Monero).
Microsoft’s Azure Security Center recently detected a hacking campaign that targeted the Kubeflow platform on Kubernetes and used the XMRig cryptominer to mine for monero across multiple clusters (see: Kubeflow Targeted in XMRig Monero Cryptomining Campaign).