Trend Micro specialists discovered the TeamTNT miner this spring. Now there is evidence that TeamTNT steals credentials from Amazon Web Services.
According to researchers, this malware has been active since April 2020 and regularly scans the Internet for misconfigured Docker installations, whose API is available to anyone.The TeamTNT botnet operators use these Docker installations to mine cryptocurrencies and DDoS attacks.
This week, researchers from the British company Cado Security published a report, according to which TeamTNT’s tactics have changed slightly over the past months, and the malware has learned new functions.
Researchers say that now malware attacks not only Docker, but Kubernetes as well.
Over the weekend we’ve seen a crypto-mining worm spread that steals AWS credentials. The worm also steals local credentials, and scans the internet for misconfigured Docker platforms. We have seen the attackers, who call themselves “TeamTNT”, compromise a number of Docker and Kubernetes systems”, — write Cado Security researchers.
In addition, TeamTNT has recently been looking for Amazon Web Services credentials on infected servers and stealing them.
For example, if the infected Docker and Kubernetes installations are running on the AWS infrastructure, TeamTNT operators scan for ~/.aws/credentials and ~/.aws/config, and then copy and send both files to their command and control server. These files are unencrypted and, in plain text, store the credentials for the AWS account, infrastructure, and configuration information.
According to Cado Security experts, so far the attackers have not tried to use stolen credentials in any way. The fact is that the researchers transferred a batch of their own recorded data to the TeamTNT management server, but so far no third parties have tried to access any of these accounts.
However, researchers believe that if attackers decide to monetize the stolen credentials, they can easily install their mining malware into more powerful AWS EC2 clusters, or simply sell the stolen information on the black market.
Tips for protecting systems from TeamTNT:
- Identify which systems are storing AWS credential files and delete them, if they are not used. It’s common to find that credentials have accidentally been left on production systems.
- Use firewall rules to limit any access to Docker APIs. We strongly recommend using a whitelisted approach for your firewall ruleset.
- Review network traffic for any connections to mining pools, or using the Stratum mining protocol.
- Review any connections sending the AWS Credentials file over HTTP.
Let me remind you that recently we wrote that updated version of Agent Tesla steals credentials from browsers and VPN clients.
