A new research study has uncovered an evolving campaign targeting cloud environments, with a focus on deploying the Tsunami malware and hijacking cloud credentials and resources. The campaign, which is still in the early stages of development, demonstrates characteristics of an aggressive cloud worm that specifically targets misconfigured JupyterLab and Docker APIs.
The campaign was first discovered by Aqua Nautilus researchers when their Honeyspot, which was equipped with a misconfigured Docker API, was attacked. The researchers subsequently shared their findings in a report, shedding light on this potentially dangerous campaign. It is suspected that the notorious hacking group Team TNT is behind this campaign, as they have a history of targeting cloud-based resources.
The attack begins when the adversary identifies a misconfigured server, either a Docker API or JupyterLab instance, and proceeds to deploy a container or interact with the Command Line Interface (CLI) to scan for additional vulnerable targets. This process allows the malware to rapidly spread to a larger number of servers. In addition to deploying the Tsunami malware, the attack also includes a secondary payload consisting of a crypto miner and a backdoor.
The researchers identified several container images associated with this campaign. These images include “shanidmk/jltest2,” which is designed to detect exposed JupyterLab instances, and “shanidmk/sysapp,” which targets exposed Docker Daemon instances. Another image, “shanidmk/blob,” is an updated version of “shanidmk/sysapp,” which not only hunts for vulnerable Docker Daemon instances but also releases a cryptominer and incorporates the Tsunami malware as a backdoor. These container images have updated versions with specific release dates, further indicating ongoing development.
The container image used in this campaign is composed of multiple layers, with one layer containing a run.sh shell script that initiates upon container startup. This script downloads necessary packages and utilities for the environment and relocates the ZGrab application to the /bin library, enabling the attacker to perform banner grabbing. This is crucial for identifying JupyterLab and Docker API instances.
The attack continues with the utilization of the masscan tool, which scans and provides the IP address to be used by ZGrab for assessing if an exposed JupyterLab instance is operating at a particular URL. The gathered information is then stored in the JupyterLab.txt file and transmitted to the attacker’s command-and-control (C2) server. To expand the attacker’s reach, the C2 server returns an IP range for scanning based on the first octet of the attacker’s C2 server address, resulting in the scanning of nearly 16.7 million IP addresses within a /8 CIDR range.
To evade detection and minimize the risk of infrastructure shutdown, the attacker employs NGROK to conceal the C2 infrastructure. This adds an additional layer of complexity to tracking and stopping the attack.
To protect against these types of attacks, several preventative measures should be taken. First and foremost, organizations should ensure that JupyterLab is not running without proper authentication and that the token flag is configured correctly. Additionally, it is crucial to secure the Docker API and ensure that it is not exposed to the public by accepting requests from 0.0.0.0. Regularly updating and patching Docker and cloud platforms is also essential to address any vulnerabilities.
Implementing the principle of least privilege can also help mitigate the impact of such attacks. By limiting the permissions and capabilities of containers, Docker daemons, and cloud instances, the potential damage can be significantly reduced. Furthermore, scanning the images used and being familiar with their contents, while minimizing privileges such as avoiding the use of the root user and privileged mode, are essential steps in preventing these attacks. Finally, organizations should thoroughly investigate logs, particularly focusing on user actions, to detect any anomalous behavior.
In conclusion, the discovery of an ongoing campaign targeting cloud environments highlights the need for heightened security measures and precautions. As adversaries continue to evolve and develop sophisticated attack techniques, organizations must remain vigilant and ensure that their cloud infrastructures are adequately protected. Implementing the recommended security measures and regularly updating security protocols are crucial steps in mitigating the risk of falling victim to these types of attacks.