TeamTNT launches fresh campaigns targeting cloud systems for cryptojacking and mining. New tactics raise concerns for cybersecurity.
Renewed Threats from TeamTNT
The notorious hacker group TeamTNT is back, initiating new cloud attacks targeting cloud-native environments. Their focus is on mining cryptocurrencies and renting out compromised servers to third parties. This resurgence highlights TeamTNT’s relentless pursuit of financial gain through cybercrime.
Attack Mechanisms
TeamTNT aims to exploit exposed Docker daemons for deploying Sliver malware and cryptominers. Assaf Morag, a threat intelligence director at Aqua, stated, “The group is currently targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers.” This strategy allows them to harness the power of compromised servers to spread their malware effectively.
Evolving Tactics
The group’s ability to evolve its tactics is evident. They mount multi-stage assaults to compromise Docker environments and incorporate them into a Docker Swarm. This adaptability shows their commitment to exploiting cloud infrastructures for cryptojacking.
Monetization Strategies
TeamTNT diversifies its monetization by offering compromised computational power to others for cryptocurrency mining. They leverage Docker Hub for hosting and distributing their malicious payloads. This allows them to maximize profits from their cybercriminal activities.
Emerging Reports
Earlier this month, Datadog uncovered attempts by TeamTNT to corral infected Docker instances into a Docker Swarm. They hinted at TeamTNT’s involvement but did not confirm it. However, the full scope of this operation became clear only recently.
Early Discoveries
Morag informed The Hacker News that Datadog “found the infrastructure in a very early stage,” compelling the threat actor to adjust their campaign. This adaptability demonstrates the continuous cat-and-mouse game between cybersecurity experts and hackers.
Scanning for Vulnerabilities
The attacks involve scanning for unauthenticated and exposed Docker API endpoints across nearly 16.7 million IP addresses. TeamTNT utilizes tools like masscan and ZGrab to identify vulnerabilities for cryptominer deployment. They also sell the compromised infrastructure on platforms like Mining Rig Rentals, allowing others to profit from their exploits.
Attack Execution
The group employs an attack script that targets Docker daemons on specific ports, including 2375 and 2376. They deploy containers running an Alpine Linux image embedded with malicious commands. This method enhances their ability to compromise systems quickly.
Command and Control Framework
Notably, TeamTNT has shifted from the Tsunami backdoor to the Sliver command-and-control framework. This new approach allows them to manage infected servers more effectively. Morag noted, “Additionally, TeamTNT continues to use their established naming conventions, such as Chimaera, TDGG, and bioset.”
DNS Anonymity
In this latest campaign, TeamTNT employs AnonDNS for web server pointing. This tactic enhances their anonymity and complicates detection efforts by cybersecurity firms.
Related Threats
Trend Micro recently highlighted a separate campaign involving a brute-force attack against an unnamed customer. This effort aimed to deliver the Prometei crypto mining botnet, which exploits vulnerabilities in Remote Desktop Protocol (RDP) and Server Message Block (SMB). The botnet allows attackers to mine cryptocurrencies like Monero without the victims’ knowledge.
Understanding the Risks
The activities of TeamTNT and similar threat actors underline the importance of cybersecurity vigilance. Organizations must secure their cloud environments against potential cryptojacking and other malicious activities.
The Need for Awareness
As cyber threats continue to evolve, businesses must adopt proactive measures to safeguard their systems. Understanding the tactics of groups like TeamTNT can help organizations implement effective defenses against these attacks.
Disclaimer:
The information provided on 13Desk is for informational purposes only and should not be considered financial advice. We strongly recommend conducting your own research and consulting with a qualified financial advisor before making any investment decisions. Investing in cryptocurrencies carries risks, and you should only invest what you can afford to lose. 13Desk is not responsible for any financial losses incurred from your investment activities.
