Signs that TeamTNT is becoming a much bigger threat
Separately, the researchers were able to access the attacker’s C2 servers and gain a much better understanding of the scope of the attack campaign. We also identified numerous scripts targeting different cloud environments and technologies. This includes various malware programs including several credential stealers, scripts to change iptables firewall rules, data retrieval tools, malware downloaders, SSH and other types of backdoors, Tsunami, IP scanners, cryptominers and penetration testing tools.
“This botnet is particularly aggressive, spreading rapidly across the cloud and targeting a variety of services and applications within the software development lifecycle (SDLC),” the researchers said. “It works at an amazing speed, showing amazing scanning capabilities. The botnet is designed to communicate with a central C2 server to determine the next range of IP addresses to scan.”
At the heart of the botnet is the Tsunami malware, which TeamTNT has used in past attacks. This botnet client for Linux systems hides a running process and connects to a predefined IRC chat through which attackers can issue commands to all infected systems. Aqua researchers accessed the servers used in this latest campaign and observed 196 new compromised systems over seven days, or 1.3 new victims every hour.
“Given that this campaign is aggressively scanning the internet for exposed Docker APIs, Jupyter Lab and Notebook instances, Redis servers, SSH connections and Weave Scope applications, even a brief moment of exposure can quickly infect new hosts exposed,” the researchers wrote. can,” he said. warned.
Tools deployed by attackers retrieve credentials from databases and storage systems such as Postgres, AWS S3, Filezilla, and SQLite, Kubernetes clusters, Google Cloud Platform, configuration files in Azure and AWS, and related cloud services such as EC2 and Glue. , Lambda and Lightsail. While TeamTNT attacks in the past primarily targeted Docker containers, it is now clear that attackers have greatly expanded the scope of their work and can now target CI/CD pipelines, build processes, and GitHub accounts as well as development, staging, and production environments. .