TeamTNT, the infamous hacking group known for its cryptojacking campaigns, is making headlines again with a new wave of attacks targeting cloud-native environments. This time, their focus is on leveraging compromised servers for cryptocurrency mining and renting out these hijacked servers to third-party users.
According to Assaf Morag, director of threat intelligence at Aqua, TeamTNT is currently exploiting vulnerable Docker daemons to deploy a range of malicious tools, including the Sliver malware, a cyber worm, and cryptominers. The group is utilizing compromised servers and Docker Hub to distribute their malware payloads across various environments.
This latest activity showcases TeamTNT?s ability to adapt its strategies, launching multi-stage attacks aimed at taking over Docker environments and transforming them into a Docker Swarm. Beyond their usual methods, the group is also monetizing by offering victims' computational resources for illicit cryptocurrency mining, indicating a broader approach to their criminal business model.
Earlier hints of this campaign surfaced when Datadog identified attempts to corral compromised Docker instances into a Docker Swarm. While Datadog did not initially attribute these activities to TeamTNT, the recent analysis sheds more light on the scale and intent behind the operation.
Morag revealed to The Hacker News that Datadog?s discovery forced TeamTNT to adjust its tactics, having identified their infrastructure in the early stages of deployment. The revised strategy involves scanning for exposed Docker API endpoints using tools like masscan and ZGrab. This allows TeamTNT to deploy cryptominers and rent out the compromised infrastructure through platforms like Mining Rig Rentals, effectively outsourcing the management of these hijacked servers.
The group uses a sophisticated attack script that searches for Docker daemons on specific ports, deploying containers with an Alpine Linux image pre-loaded with malicious commands. One of the key tools in their arsenal is the Docker Gatling Gun ("TDGGinit.sh"), which initiates further malicious activities after deployment.
Aqua's research also highlights a shift in TeamTNT's methods?moving from the Tsunami backdoor to the open-source Sliver command-and-control (C2) framework for managing infected servers. Despite the new tools, TeamTNT?s familiar naming conventions, such as Chimaera and TDGG, suggest this is a classic operation from the group. Additionally, they?ve incorporated anondns (Anonymous DNS), a technique designed to maintain privacy while routing traffic to their web server.
These developments coincide with Trend Micro?s discovery of a separate attack campaign targeting a specific customer using brute-force methods to deploy the Prometei cryptomining botnet. Prometei exploits vulnerabilities in Remote Desktop Protocol (RDP) and Server Message Block (SMB) to spread throughout the network, enabling persistent access and cryptocurrency mining on compromised machines.
The ability of both TeamTNT and Prometei to exploit cloud infrastructure for cryptomining highlights the ongoing challenges of securing cloud-native environments. Organizations should stay vigilant, ensure robust cloud security measures, and monitor for unusual activities in their Docker setups to prevent falling victim to such sophisticated cyber threats.
For more updates on cybersecurity trends and threats, follow us on Twitter and LinkedIn for exclusive content and insights.