Safety researchers have warned that the notorious TeamTNT group may very well be making ready a big new marketing campaign in opposition to cloud-native environments, after recognizing a menace actor attempting to find misconfigured servers.
Aqua Security launched its investigation after detecting an assault on one in all its honeypots. It subsequently discovered 4 malicious container photos. Nonetheless, on condition that a few of the code capabilities remained unused and there appeared to be a level of handbook testing occurring, the researchers theorized that the marketing campaign is but to completely launch.
“This infrastructure is in early phases of testing and deployment, and is especially constant of an aggressive cloud worm, designed to deploy on uncovered JupyterLab and Docker APIs as a way to deploy Tsunami malware, cloud credentials hijack, useful resource hijack and additional infestation of the worm,” it claimed.
“We strongly consider that TeamTNT is behind this new marketing campaign.”
Read more on TeamTNT: TeamTNT Attack Highlights the Need for Cloud Governance
TeamTNT is a prolific cybercrime group identified for aggressive assaults on cloud-based programs, particularly Docker and Kubernetes environments. It focuses on cryptomining, though over time it has developed to soak up different malicious actions.
Though TeamTNT appeared to stop actions again in late 2021, Aqua Safety linked the brand new marketing campaign to the group by way of the Tsunami malware it generally used, use of the dAPIpwn perform and a C2 server that replies in German.
The researchers haven’t dominated out an “superior copycat” – though it must be a equally refined group able to emulating TeamTNT code and which has a “distinct humorousness” and “affinity for the Dutch language.”
The brand new menace exercise noticed by Aqua Safety begins when the menace actor identifies a misconfigured Docker API or JupyterLab server and deploys a container or engages with the Command Line Interface (CLI) to scan for and establish extra victims.
“This course of is designed to unfold the malware to an growing variety of servers,” the blog post noted. “The secondary payload of this assault features a cryptominer and a backdoor, the latter using the Tsunami malware as its weapon of selection.”
Aqua Safety posted a listing of suggestions to assist organizations mitigate the menace.
