TeamTNT gang may target Azure and Google Cloud users

Criminals with a history of deploying malware to harvest credentials from Amazon Web Services accounts may extend their attention to organizations using Microsoft Azure and Google Cloud Platform.

Researchers from SentinelOne, Permiso Security, and Aqua Security say the credential theft campaign, which began in June, contains the infamous TeamTNT traits, but is difficult to fully identify.

That said, according to Alex Delamotte, a researcher at SentinelLabs at SentinelOne, given the amount of work the bad guys have done to improve their technique, and the addition of Azure and Google Cloud accounts to the list of targets. The group then appears ready to ramp up its attack. unit.

Whoever the criminal is, it appears that they are harvesting cloud infrastructure credentials such as AWS keys from the victim’s Jupyter programming notebook. It appears that access to these notebooks may require exploitation of her poorly secured web application, or the notebooks may have been accidentally left public. The criminal’s ultimate goal is to obtain the credentials and use them to copy malware to someone else’s cloud-based system and execute that malware.

Once the crew’s code is executed on the victim’s resources, the intruder can run scripts on remote systems to find and collect more access credentials, mine cryptocurrency, and open backdoors. can be opened to siphon information or interfere with operations. The scammer used to primarily target her AWS users, but now he seems to be looking for ways to get into Azure and Google Cloud accounts.

“AWS has long been the target of many cloud-focused parties, but its expansion into Azure and GCP credentials has made other major competitors valuable,” Delamott said in a report this week. It shows that we hold the data.”

“We believe this actor is actively tuning and improving their tools. I have.”

Permiso researcher Abian Morina speculated on Wednesday that the multi-cloud campaign may have already started as of this week.

It’s not entirely clear exactly how the bad guys infiltrate people’s cloud resources, but check the linked advisory for technical details and indications of compromise, as well as an identifiable intrusion. We say we need to use the information we are given to detect and stop it.

Cloud credentials are a common target

According to an Elastic Security Labs article last year, 33% of cyberattacks in the cloud used stolen credentials, well known by TeamTNT. The group has been around since 2019, but announced its departure two years ago. But Trend Micro said the team, known for targeting cloud and container environments, was back in business late last year.

In December 2022, Permiso documented how TeamTNT was probing the Jupyter Notebook service, primarily for AWS credentials. Criminals also began targeting vulnerable Docker deployments and appear to have updated their intrusion tools.

These updates support acquisition of Azure and Google Cloud credentials, scripts are more modular for performing more complex attacks, improved credential collection, and curl commands for extracting data. A line tool was introduced.

Additionally, the group previously hosted command and control (C2) activity and files in openly accessible directories on a single domain. Access to the C2’s directory now requires a hard-coded username and password, making it more difficult to inspect and stop. This infrastructure previously used Dutch-based IP addresses, but now runs across multiple subdomains.

Researchers also found ELF binaries built from Golang source code. This executable is used to spread malware to other vulnerable targets in a seemingly worm-like manner. Criminals hide this system scanner as a Base64 object embedded within the binary to make detection more difficult.

something evil is coming here

The latest campaign “demonstrates the evolution of many tech-savvy and skilled crowd actors,” Deramott wrote.

“The meticulous attention to detail shows that the attackers have clearly gone through a lot of trial and error. We are improving, which shows a certain level of maturity and skill.”

The SentinelLabs and Permiso study was published by Aqua earlier this month in connection with a “potentially large-scale campaign against cloud-native environments” that researchers Ofek Itach and Assaf Morag laid at the feet of TeamTNT or groups using the same technique. It reflects the content clarified in

They write that their investigation began after they detected an attack on a Jupyter honeypot operated by Aqua, leading to an investigation of container images and Docker Hub accounts. They described the Silentbob campaign as “an offensive attack designed to deploy to public JupyterLab and Docker APIs to deploy Tsunami malware, cloud credential hijacking, resource hijacking, and further infiltration of worms. cloud worm”.

Similar to SentinelLabs, Aqua researchers said it appeared they were considering a trial for a larger operation.

“Given that some functions in the code remain unused and the linked attack pattern suggests manual testing, we theorize that the attacker is in the process of optimizing the algorithm. ‘, they wrote in early July.

“It appears that TeamTNT or a TeamTNT copycat is preparing a campaign. We treat this as an early warning and hopefully try to stop the campaign.”

Aqua and SentinelLabs recommend not deploying Jupyter software without authentication, properly configuring and patching web applications to minimize exploitation, restricting external access to Docker, and restricting Docker permissions It recommends that enterprises protect themselves from such attacks by taking measures such as using the principle of least privilege to container.

What Are The Main Benefits Of Comparing Car Insurance Quotes Online

LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos