TeamTNT Cryptojacking Attacks: Docker Environments Targeted
As per recent media reports, TeamTNT cryptojacking attacks are prevailing with cloud native environment being a key target. The underlying objective of these attacks is to mine cryptocurrencies and rent out breached servers to third parties. In this article, we’ll dive into the details of these attacks and learn about how the hackers are utilizing Docker. Let’s begin!
Uncovering TeamTNT
TeamTNT is a threat actor group that has been active since October 2019. During this time, they have primarily targeted cloud and containerized environments. After compromising these resources, the threat actor group uses them to deploy crypto miners within the targeted environments.
TeamTNT is relatively new in comparison to other online threats that target cloud environments. As far as the attack tactics are concerned, TeamTNT threat actors use similar methods to other groups. However, their social media presence and aptitude for self-promotion is a differentiating factor.
While it is believed that the hacker group is located in Germany, posts on their X handle are in both English and German. In addition, the group is also linked to the First Crypto-Mining Worm to Steal AWS Credentials and Hildegard cryptojacking malware. They have launched an attack campaign against Docker and Kubernetes in February 2021.
The attack campaign was centered on using a collection of container images hosted in Docker Hub. These container images were targeting misconfigured docker daemon, Weave Scope, and Kubeflow dashboards for malicious intentions that include:
- Opening backdoors.
- Mining cryptocurrency.
- Stealing cloud credentials.
- Launching a worm to determine the next victim.
Recent TeamTNT Crypojacking Attacks
The most recent TeamTNT cryptojacking attacks by the threat actor serve as a testament to the group’s ability to maintain persistence while evolving their techniques. During these TeamTNT cryptojacking attacks the hackers were able to mount multi-stage assaults that compromise Docker environments and enlisted them into a Docker Swarm.
Providing insights into these attacks, Assaf Morag, director of threat intelligence at Aqua, a cloud security firm, has stated that:
“The group is currently targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, using compromised servers and Docker Hub as the infrastructure to spread their malware.”
These insights entail that the cryptocurrency mining malware hackers are using attack tactics similar to the ones that prevailed in their malicious initiative in February 2021. However, a notable aspect of the recent TeamTNT cryptojacking attacks is the diversification of their monetization strategy.
Reports claim that the group has been using Docker Hub for hosting and distributing the malicious payloads. But, in addition to that, they have also offered the computational power of compromised targets to other third parties. This computing power is then used for the illicit mining of cryptocurrencies. Commenting on the mining rig rental setup, Morag stated that:
“They are also renting the victims’ computational power to third parties, effectively earning money indirectly from cryptomining without the hassle of managing it themselves.”
Docker Cryptojacking Attack Initial Discovery
These TeamTNT cryptojacking attacks were initially discovered and disclosed earlier in October by Datadog, a cloud monitoring service provider. The initial disclosure emphasized that infected Docker instances were being targeted.
The aim of these malicious initiatives was to enlist them into a Docker Swarm. Based on these tactics, it was determined that the Docker cryptojacking attack campaign is the work of TeamTNT.
Before we dive into more details, it’s worth noting that the complete extent of the operation has not been clear until now. Media reports have cited experts stating the infrastructure of the TeamTNT cryptojacking attacks was discovered in its early stage.
Both the initial discovery and its disclosure are essential for developing a cybersecurity strategy to ensure protection against such threats. However, the disclosure may alarm the threat actor, forcing them to change their attack tactics.
Cryptocurrency Mining Malware Attack Details
Before diving into the details of the attacks, it’s worth pointing out that the current TeamTNT cryptojacking attacks mark the initiation of the group’s cloud attack infrastructure. As of now, the hacker group is using both compromised web servers and Docker Hub registries for various malicious initiatives that include:
- Malware distribution.
- Deployment of crypto miners.
- Renting out computational power.
TeamTNT Attacks Components
Ever since the group’s inception, TeamTNT cryptojacking attacks have be centered on the use of four key components that include:
- Lateral Movements
TeamTNT threat actors are able to conduct both local and external lateral movements for enhanced detection and infection methods. To do this during TeamTNT cryptojacking attacks, threat actors use tools like Masscan and ZGrab.
- Resource Hijacking
The most recent TeamTNT cryptojacking attacks focus on deploying the crypto miner. Doing so allows them to control or acquire a targeted infrastructure which is then rented out to others, reducing the operational costs for the hacker group.
- Command And Control (C2)
In this attack campaign, TeamTNT has been observed using the Sliver malware. It’s possible that this serves as a replacement for the previously used Tsunami malware. The previous malware was penetrable by researchers, allowing them to gain insights, but the same can not be said for the Sliver malware.
- Cloud Tools
The hacker group is known for experimenting with cloud-native tools operating based on open-source software (OSS) and offensive security tools (OSTs). During the recent TeamTNT cryptojacking attacks, the group is using:
- DockerHub for storing and distributing malware
- Silver malware for acquiring control and exploitation.
TeamTNT Cryptojacking Attack Chain
Cybersecurity experts investigating the most TeamTNT cryptojacking attacks have highlighted common techniques prevailing throughout the campaign. It’s worth noting that the attack chain of the cybercrime group has been divided into different categories with one of multiple actions. These categories and actions include:
Stage | Action(s) | 세부 정보 |
Initial Access | Exploit Public-Facing Application | The initial access is acquired by exploiting exposed Docker daemons that include ports 2375, 2376, 4243, and 4244. |
Execution | Command and Scripting Interpreter | Threat actors execute the initial script, “TDGGinit.sh,” on the compromised systems. |
지속성 | Modify Cloud Compute Infrastructure – Create Cloud Instance | Docker and Dockerswarm binaries and actively exposed Docker instances are downloaded to a Docker Swarm for maintaining consistent access and control. |
Defense Evasion | Exploitation for Defense Evasion | Sliver malware is used to evade detection since it dynamically compiles with per-binary encryption keys. |
Masquerading | Hackers use names like “Chimaera” to evade detection and pose as legitimate infrastructure and processes. | |
Rootkit | Experts have found the “prochider rootkit” that the hackers have used on previous occasions. | |
Credentials Access | Unsecured Credentials | A local search for keys and credentials is conducted and the malware is distributed after the credentials have been acquired. |
Discovery | Network Service Scanning | Tools like masscan are used to actively scan for exposed Docker daemons. |
Remote System Discovery | Local scanning is also conducted to find additional systems that can be compromised. | |
Command And Control | Web Service – Dead Drop Resolver | Docker Hub and web servers are used for storing and distributing the malware. |
Application Layer Protocol – DNS | The Sliver malware is used to maintain C2 communication. | |
Proxy | C2 communications are tunneled through legitimate channels as it helps evade detection. | |
Impact | Resource Hijacking | Threat actors either deploy a crypto miner or sell the computation power. |
결론
TeamTNT cryptojacking attacks on Docker environments showcase the group’s persistence and evolving techniques. By exploiting vulnerabilities in cloud infrastructure, they not only mine cryptocurrency but also sell compromised resources, highlighting the urgent need for robust security practices to safeguard containerized environments.
The sources for this piece include articles in The Hacker News and Aqua.