The well-known hacker collective TeamTNT has started a fresh round of cloud-based assaults, focusing on Docker environments for illicit server rentals and cryptojacking. TeamTNT wants to sell access to stolen servers to third parties and steal computing resources for cryptocurrency mining, with an emphasis on breaking into cloud-native systems.
Contents
- 1 TeamTNT’s New Strategies: Taking Advantage of Docker Flaws
- 2 Early indications of TeamTNT’s Initiative Revealed
- 3 Growing Making Money by Renting Mining Rigs
- 4 Creatively utilizing command-and-control (C2) instruments
- 5 Associated Dangers: The Campaign for the Prometei Botnet
- 6 A Changing Risk to Cloud Protection
TeamTNT’s New Strategies: Taking Advantage of Docker Flaws
Recent actions by TeamTNT show that they are still focusing on weak Docker instances, a strategy they have refined over multiple campaigns. Sliver malware, a cyber worm frequently employed in cyberattacks, has been distributed by the gang using exposed Docker daemons, according to Assaf Morag, Director of Threat Intelligence at Aqua Security. With this method, TeamTNT can use compromised Docker Hub accounts as distribution channels to distribute malware and deploy cryptominers.
TeamTNT has broadened its operations by utilizing Docker Hub to disseminate malicious software, infecting Docker instances, and integrating them into a Docker Swarm, a collection of remotely controllable and manipulable Docker containers. Another tactic used by the gang is to profit from compromised server resources by providing processing power for illegal bitcoin mining.
Early indications of TeamTNT’s Initiative Revealed
Datadog, a security monitoring company, revealed anomalous activity on Docker instances earlier this month, suggesting that TeamTNT may have taken control of them. Aqua Security’s later investigation has demonstrated the scope of the attack, exposing TeamTNT’s established techniques and adaptation to detection efforts, even though initial discoveries fell short of confirming the group’s involvement.
TeamTNT apparently adjusted their strategies to avoid early detection in response to Datadog’s findings, demonstrating their adaptability and resistance to changing security threats. In order to swiftly identify and breach insecure endpoints, the group uses automated scanning tools like masscan and ZGrab to target unauthenticated Docker API endpoints.
Growing Making Money by Renting Mining Rigs
An intriguing change in TeamTNT’s business strategy is one example of how its operations have grown more complex. They successfully outsource the server management effort, focusing instead on optimizing revenue from several infected systems by offloading compromised Docker servers to Mining Rig Rentals, a website where customers can rent processing capacity for mining.
The assault method used by the organization is based on an automated script that searches millions of IP addresses for Docker daemons on particular ports, namely: 2375, 2376, 4243, and 4244. Following the identification of a vulnerable server, the script controls the machine for additional exploitation by launching an Alpine Linux container loaded with malicious commands.
Creatively utilizing command-and-control (C2) instruments
TeamTNT’s shift from the tsunami backdoor to the more sophisticated Sliver C2 framework is a significant shift in their strategy. TeamTNT can remotely carry out commands and maintain a permanent presence on compromised systems thanks to Sliver, an open-source command-and-control program. This change demonstrates TeamTNT’s attempts to improve its methods, employing advanced instruments to avoid discovery and strengthen its hold on hacked devices.
Additionally, the group still uses well-known name schemes for C2 operations, like “Chimaera,” “TDGG,” and “bioset,” which have come to define TeamTNT campaigns. Additionally, in order to connect to their web server without disclosing the IP address of the server, they have integrated AnonDNS (Anonymous DNS), a privacy-centric DNS resolution technique.
Associated Dangers: The Campaign for the Prometei Botnet
According to Trend Micro, TeamTNT’s actions align with another malevolent campaign run by the Prometei botnet. Prometei infiltrates networks and installs cryptomining malware by using brute-force attacks against Server Message Block (SMB) and Remote Desktop Protocol (RDP) vulnerabilities. Similar persistence techniques, such as credential harvesting and lateral movement within compromised networks, are demonstrated in this campaign, allowing infected computers to continuously mine Monero coin.
Like TeamTNT, the Prometei botnet uses the processing capacity of the compromised system to mine cryptocurrency covertly. This demonstrates the rising prevalence of illegal mining and cryptojacking, which pose serious risks to businesses all around the world.
A Changing Risk to Cloud Protection
The most recent cloud attacks by TeamTNT demonstrate the group’s flexibility and ingenuity in breaking into cloud-native platforms. TeamTNT has become a powerful force in cryptojacking by successfully expanding its attack vectors and monetization techniques through the compromise of Docker daemons and the use of Sliver malware in conjunction with AnonDNS. Securing Docker environments and fixing RDP and SMB vulnerabilities will be essential as businesses depend more and more on cloud infrastructure to avoid being exploited by sophisticated threat actors like TeamTNT and Prometei.