Cloud services continue to suffer from massive attacks from TeamTNT

The TeamTNT faction was recently linked by researchers to two cloud credential theft campaigns targeting services Microsoft Azure And Google Cloud Platform (GCP). This indicates the expansion of the activities of hackers who previously attacked only Amazon web services (AWS).

This was reported by the companies independently. SentinelOne ( report ) And Permiso ( report ), who noted that both operations bear a clear resemblance to the tools attributed to the TeamTNT cryptojacking group.

In addition to linking the Azure and GCP attacks to the TeamTNT hackers, the researchers also linked the SCARLETEEL group to a recent attack on AWS. Fargate We also wrote earlier .

The attacks, which use public Docker instances to deploy a distribution engine, are the continuation of a series of attacks that targeted Jupyter Notebook environments in December 2022, experts say.

From June 15, 2023 to July 11, 2023, eight new versions of the credential collection script were discovered, indicating an actively developing threat.

The new versions of the malware are designed to harvest credentials from AWS, Azure, GCP, Censys, Docker, Filezilla, Git, Grafana, Kubernetes, Linux, Ngrok, PostgreSQL, Redis, S3QL, and SMB. The collected credentials are then sent to a remote server under the attacker’s control.

SentinelOne stated that the credential collection logic and target files bear a clear resemblance to the Kubelet attack campaign, conducted TeamTNT in September 2022.

In addition to the malware script, the attacker also distributed a binary ELF file based on golangwhich acts as a scanner to spread malware to vulnerable targets on the network.

“This campaign demonstrates the evolution of attackers in cloud environments who know a lot of technologies and have a lot of experience. Careful attention to detail indicates that the hackers have been honing their technique through trial and error for a long time, ”said SentinelOne experts.

“We are confident that these cybercriminals are actively improving their tools. Based on the observed changes over the past weeks, it can be concluded that hackers are preparing to carry out malicious operations on a much larger scale, ”the researchers concluded.