HQ/EMEAFind out how we can help your business
Researchers discovered a new botnet campaign from the TeamTNT group that aggressively targets cloud infrastructure using their new Silentbob tool. Based on reports, the attackers currently target different servers, including Docker and Kubernetes environments and Jupyter applications.
Moreover, the analysis revealed that the botnet operators focus on infecting systems and testing their botnet rather than launching cryptominers after infection for profit.
These discoveries emerged after a cloud security company explained a breach from the TeamTNT group that targets vulnerable Docker APIs and JupyerLab to launch the Tsunami malware and hijack system resources to execute a cryptocurrency miner.
The discoveries imply a broader campaign and a more significant attack infrastructure than the researchers initially found. The attack includes various shell scripts to steal credentials, launch SSH backdoors, download additional payloads and deploy legitimate tools to conduct surveillance of the cloud environment.
The rouge container images have given away the Silentbob botnet.
The researchers uncovered the Silentbob botnet’s attack chain after discovering rouge container images hosted on Docker Hub. The attack chain could scan the internet for poorly configured instances and infect the newly spotted victims with Tsunami malware and a worm script to co-opt more devices into a botnet.
Initial findings stated that the botnet is aggressive and rapidly infects the cloud environment while targeting various services and apps within the SDLC. In addition, the botnet has an impressive and efficient scanning ability.
On the other hand, Tsunami uses the IRC protocol to link with the attacker-controlled C2 server. The protocol issues command to all the infected hosts under its control, allowing its operators to establish backdoor access.
Furthermore, the attackers hide the cryptomining execution through a provider rootkit to bypass security detections when a ps command runs on the infected system to retrieve the list of active processes.
TeamTNT scours for credentials across numerous cloud environments, including Azure, AWS, and GCP. They also scan for specific apps such as Kubernetes, Git Access, Grafana, Docker Compose and NPM. Lastly, they search for databases and storage systems to increase their attack scope.
