TeamTNT targets the Azure and Google GCP services

By
July 20, 2023
TeamTNT Hacker Group Azure Google Cloud Platform Cloud Services Credential Harvesting

The TeamTNT group allegedly has a new cloud credential stealing operation that targets Azure and Google Cloud Platform (GCP) services. The new campaign shares similarities with the TeamTNT group’s cryptojacking campaign. However, researchers said that the attack could be from other attackers.

The ongoing cybercriminal operation prioritises targeting public-facing Docker instances to deploy a propagation module that seems like a worm. These attack methods are part of a more widespread intrusion set that previously focused on compromising the Jupyter Notebooks last year.

Researchers discovered up to eight new variants of the credential harvesting script between June 15 and July 11, 2023. This detail indicates that the campaign is constantly evolving.

In addition, recent research explained that the newest iteration of the malware has been tailored to harvest credentials from various sources. The confirmed sources that suffer the effect of this attack include Azure, Google Cloud Platform, AWS, Filezilla, Docker, Git, Censys, Grafana, Linux, Kubernetes, Ngrok, Redis, PostgreSQL, S3QL, and SMB.

 

The new TeamTNT campaign is like its past attack in September last year.

 

According to investigations, TeamTNT group’s method of harvesting credentials and the targeted files show similarities to one of its previous campaigns that targeted Kubelet. In addition, these attacks align with a current TeamTNT campaign that uses the Silentbob botnet, which exploits poorly configured cloud services to propagate malware as part of the developmental project.

However, other researchers suspect a connection with SCARLETEEL since it has a similar attack sequence. Another piece of evidence that links the new campaign to SCARLETEEL is the involvement of a cryptocurrency miner that targets the Monero wallet address.

Researchers explained that they could not confirm that TeamTNT is the culprit of the new campaign despite a solid connection between the campaigns. However, they still acknowledge the fact that TeamTNT has many attack variations.

This newly discovered campaign highlights the growth of a sophisticated cloud threat actor that knows multiple technologies. Including Azure and GCP credentials suggests that there are still other valuable resources; even threat actors are prioritising targeting the AWS platform.

Organisations should minimise their exposure to external connections to help mitigate the risks posed by the new cybercriminal operation.

About the author

Leave a Reply