Security researchers Aqua Security warned that the TeamTNT grouping may be preparing a new large-scale campaign against the cloud environment called “SilentBob”. Such suspicions arose after experts discovered hackers targeting misconfigured servers.

Aqua Security launched an investigation after discovering an attack on one of its lures. Subsequently, 4 images of malicious containers were discovered. However, given that some features of the code have remained unused and there appears to be some manual testing currently underway, the researchers suggested that the campaign has not yet fully launched.

According to experts, the infrastructure is in the early stages of testing and deployment and is basically in line with an aggressive cloud worm designed to run on public API-interfaces JupyterLab And Docker to deploy Tsunami malware, capture credentials, capture resources, and further infect with the worm.

TeamTNT is a cybercriminal group known for devastating attacks on cloud systems, especially Docker and Kubernetes. The group specializes in cryptomining.

Although TeamTNT went out of business at the end of 2021, Aqua Security linked the new campaign to TeamTNT based on the use of the Tsunami malware, the dAPIpwn feature, and C2 serverswho answers in German.

Detected group activity starts when an attacker identifies a misconfigured Docker API or JupyterLab server and deploys a container or interacts with the Command Line Interface, CLI) to scan and identify additional victims.

Such a process is designed to spread malware to more servers. Secondary payload includes cryptominer And backdoor, with the backdoor using Tsunami malware as an attack tool. Aqua Security has published a list of recommendations to help organizations mitigate the threat.