Signs of TeamTNT becoming a much bigger threat
Separately, the researchers were able to gain access to the attackers’ C2 server and get a much better picture of the extent of the attack campaign. They also identified a plethora of scripts for targeting different cloud environments and technologies. These include multiple credential stealers, scripts for changing the iptables firewall rules, data discovery tools, malware downloaders, SSH and other types of backdoors, various malware programs including Tsunami, IP scanners, cryptominers, and pen-test tools.
“This botnet is notably aggressive, rapidly proliferating across the cloud and targeting a wide array of services and applications within the software development life cycle (SDLC),” the researchers said. “It operates at an impressive speed, demonstrating remarkable scanning capability. The botnet is designed to communicate with a central C2 server to determine the next range of IP addresses to scan.”
The core of the botnet is the Tsunami malware that TeamTNT has used in past attacks. This botnet client for Linux system hides its running processes and connects to a predefined IRC chat through which attackers can issue commands to all the infected machines. The Aqua researchers access the server used in this latest campaign and observed 196 new compromised machines over a seven-day period or 1.3 new victims every hour.
“Given that this campaign is aggressively scanning the internet for exposed Docker APIs, Jupyter Lab and Notebook instances, Redis servers, SSH connections, and Weave Scope applications, it can rapidly infect new hosts that are exposed even for a brief moment,” the researchers warned.
The tools the attackers deploy search for credentials from databases and storage systems such as Postgres, AWS S3, Filezilla, and SQLite, configuration files for Kubernetes clusters, Google Cloud Platform, Azure, and AWS as well as related cloud services such as EC2, Glue, Lambdas, and Lightsail. While past TeamTNT attacks targeted primarily Docker containers, it’s clear that the attackers have now significantly expanded the scope of their operations and can now target development, staging, and production environments as well as CI/CD pipelines, build processes and even GitHub accounts.