"TeamTNT Targeted Cloud Instances and Containerized Environments For Two Years"
The threat actor known as TeamTNT has been targeting cloud instances and containerized environments on systems worldwide for at least two years. The findings come from CloudSEK security researchers, who posted an advisory on Thursday detailing a timeline of TeamTNT attacks from February 2020 until July 2021. According to the researchers, the group's Github profile contains 25 public repositories, most of which are forks of popular red teaming tools and other repositories possibly utilized by them. Additionally, the domain spotted by the researchers and allegedly associated with TeamTNT was registered on February 10, 2020, the same time period when the team began to target Redis servers actively. The researchers stated that in the initial campaigns, the aim of TeamTNT was cryptojacking, as the group deployed a number of tools typically used for these attacks, including pnscan, Tsunami, and xmrigCC, among others. TeamTNT then reportedly started attacking Docker instances in May 2020, mostly using the same cryptojacking-focussed tools but introducing the use of TCP port scanner masscan in conjunction with malicious Alpine images. The researchers noted that throughout August 2020, the cybercriminal group continued their attacks on Docker, but they started using the Ubuntu images directly instead of Alpine. They also deployed the Linux Kernel Module (LKM) rootkit known as Diamorphine to hide their activities on infected machines. The researchers noted that months later, they started exploiting Weavescope for troubleshooting and leveraging it as a backdoor, and in January 2021, a report by Lacework Labs suggested TeamTNT was using three new hacking tools targeting Kubernetes: Peirates, Botb, and libprocesshider. In the second half of 2021, the group's target list reportedly remained the same, but they expanded their credential-stealing capabilities to additional services and applications, including AWS, Filezilla, and GitHub, among others. The researchers stated that in July, TeamTNT launched a campaign named "Chimaera," suggesting the group continued their attacks on Docker, Kubernetes, and Weavescope services.