×
Targeted Cloud Instances

Years: Targeted Cloud Instances and Containerized Environments for Two

Years:

The threat actor known as TeamTNT has been targeting cloud instances and containerized environments on

systems around the world for at least two years.


The findings come from CloudSEK security researchers, who posted an advisory on Thursday detailing a timeline of

TeamTNT attacks from February 2020 until July 2021.


According to the report, the group’s Github profile contains 25 public repositories, most of which are forks of

popular red teaming tools and other repositories possibly utilized by them.


Additionally, the domain spotted by CloudSEK and allegedly associated with TeamTNT was registered in February

10, 2020, the same time period when the team began to target Redis servers actively.


In these initial campaigns, CloudSEK said the aim of TeamTNT was cryptojacking, as the group deployed a number

of tools typically used for these attacks, including pnscan, Tsunami and xmrigCC, among others.


TeamTNT then reportedly started attacking Docker instances in May 2020, mostly using the same cryptojacking-

focussed tools but introducing the use of TCP port scanner masscan in conjunction with malicious Alpine images.


Throughout August 2020, the cybercriminal group continued their attacks on Docker, but they started using the

Ubuntu images directly instead of Alpine. They also deployed the Linux Kernel Module (LKM) rootkit known as

Diamorphine to hide their activities on infected machines.


Months later, they started exploiting Weavescope for troubleshooting and leveraging it as a backdoor, and in

January 2021, a report by Lacework Labs suggested TeamTNT was using three new hacking tools targeting

Kubernetes: Peirates, Botb, and libprocesshider.


In the second half of 2021, the group’s target list reportedly remained the same, but they expanded them

credential-stealing capabilities to additional services and applications, including AWS, Filezilla and GitHub, among

others. In July, TeamTNT launched a campaign named ‘Chimaera,’ suggesting the group continued their attacks on

Docker, Kubernetes, and Weavescope services.


At the time of writing, the domain associated with TeamTNT is now offline, but the CloudSEK advisory suggested

some screenshots of the domain are still available on Wayback Machine.


The security researchers suggested the group most likely originated from Germany because most of the tweets

and bash scripts (including comments) are in German, and the account’s location is set to ' Deutschland&#39.

sourcehttps://cyware.com/cyber-security-news-articles