A recent cloud-credential stealing and cryptomining campaign that has been targeting Amazon Web Services (AWS) environments for several months has now expanded its scope to include both Azure and Google Cloud Platform (GCP), according to researchers. The tools used in the campaign bear similarities to those associated with TeamTNT, a well-known threat actor motivated by financial gain.
The shift in targeting appears to have started in June, as researchers from SentinelOne and Permiso found. The broader targeting aligns with the ongoing series of refinements that the threat actor has been making since the attacks began last December.
According to separate reports by the two firms, the attacks launched against Azure and Google’s cloud services employ the same core attack scripts used in the AWS campaign. However, the tools used in Azure and GCP are less developed than those used for AWS, remarked Alex Delamotte, a threat researcher at SentinelOne. Delamotte predicted that the attacker would likely develop more tools and automations for these environments in the coming weeks if they find them to be valuable.
The threat group known as TeamTNT is renowned for targeting exposed cloud services and capitalizing on misconfigurations and vulnerabilities. Initially, TeamTNT focused on cryptomining campaigns but has expanded into data theft and the installation of backdoors more recently.
In line with this, the attacker has recently started targeting exposed Docker services. They are using modified shell scripts designed to determine the environment they are in, profile the systems, search for credential files, and exfiltrate them. The scripts also include a function for collecting details about environment variables, likely to identify other valuable services on the system for future targeting.
The attacker’s toolset is capable of enumerating service environment information across different cloud service providers. However, automation related to credential harvesting appears to be the only activity related to Azure or GCP. Any subsequent actions are likely performed manually.
These findings align with research by Aqua Security, which recently observed malicious activity targeting public-facing Docker and JupyterLab APIs. Aqua researchers attributed this activity to TeamTNT with a high level of confidence.
Further analysis from SentinelOne and Permiso revealed TeamTNT’s plans to deploy an aggressive cloud worm in AWS environments. The aim of this worm would be to facilitate the theft of cloud credentials, resource hijacking, and the deployment of a backdoor called “Tsunami.”
The joint analysis also discovered that in addition to the shell scripts used in previous attacks, TeamTNT has started delivering a UPX-packed, Golang-based ELF binary. This binary drops and executes another shell script to scan a specified range of targets and propagate to vulnerable systems.
This propagation mechanism identifies systems responding with a specific Docker version user-agent. These Docker instances could be hosted on Azure or GCP. TeamTNT appears to be testing its tools in Azure and GCP environments, rather than carrying out specific objectives on impacted systems.
Sysdig, a security platform, updated its report on the ScarletEel cloud credential stealing and cryptomining campaign last week. This campaign, targeted at AWS and Kubernetes services, has been linked to the activities of TeamTNT by SentinelOne and Permiso. Sysdig determined that one of the primary goals of the campaign is to steal AWS credentials and use them to further exploit the victim’s environment by installing malware, stealing resources, and conducting other malicious activities.
According to Delamotte, attacks on Azure and GCP environments should be expected to involve frameworks similar to those used against AWS. She recommends that administrators consult with their red teams to understand the vulnerabilities and discover which attack frameworks work best against these platforms.
“Pacu is a known red team favorite for attacking AWS,” Delamotte explains. “We can expect these actors will adopt other successful exploitation frameworks.”
As this sophisticated campaign targeting multiple cloud service providers continues to evolve, organizations must remain vigilant and ensure their cloud environments are properly secured. The ability to detect and respond to threats promptly is crucial in preventing potential credential theft and other malicious activities.