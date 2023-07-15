



Criminals with a history of deploying malware to harvest credentials from Amazon Web Services accounts may extend their attention to organizations using Microsoft Azure and Google Cloud Platform.

Researchers from SentinelOne, Permiso Security, and Aqua Security say the credential theft campaign, which began in June, contains the infamous TeamTNT traits, but is difficult to fully identify.

That said, according to Alex Delamotte, a researcher at SentinelLabs at SentinelOne, given the amount of work the bad guys have done to improve their technique, and the addition of Azure and Google Cloud accounts to the list of targets. The group then appears ready to ramp up its attack. unit.

Whoever the criminal is, it appears that they are harvesting cloud infrastructure credentials such as AWS keys from the victim’s Jupyter programming notebook. It appears that access to these notebooks may require exploitation of her poorly secured web application, or the notebooks may have been accidentally left public. The criminal’s ultimate goal is to obtain the credentials and use them to copy malware to someone else’s cloud-based system and execute that malware.

Once the crew’s code is executed on the victim’s resources, the intruder can run scripts on remote systems to find and collect more access credentials, mine cryptocurrency, and open backdoors. can be opened to siphon information or interfere with operations. The scammer used to primarily target her AWS users, but now he seems to be looking for ways to get into Azure and Google Cloud accounts.

“AWS has long been the target of many cloud-focused parties, but its expansion into Azure and GCP credentials has made other major competitors valuable,” Delamott said in a report this week. It shows that we hold the data.”

“We believe this actor is actively tuning and improving their tools. I have.”

Permiso researcher Abian Morina speculated on Wednesday that the multi-cloud campaign may have already started as of this week.

It’s not entirely clear exactly how the bad guys infiltrate people’s cloud resources, but check the linked advisory for technical details and indications of compromise, as well as an identifiable intrusion. We say we need to use the information we are given to detect and stop it.

Cloud credentials are a common target

According to an Elastic Security Labs article last year, 33% of cyberattacks in the cloud used stolen credentials, well known by TeamTNT. The group has been around since 2019, but announced its departure two years ago. But Trend Micro said the team, known for targeting cloud and container environments, was back in business late last year.

In December 2022, Permiso documented how TeamTNT was probing the Jupyter Notebook service, primarily for AWS credentials. Criminals also began targeting vulnerable Docker deployments and appear to have updated their intrusion tools.

These updates support acquisition of Azure and Google Cloud credentials, scripts are more modular for performing more complex attacks, improved credential collection, and curl commands for extracting data. A line tool was introduced.

Additionally, the group previously hosted command and control (C2) activity and files in openly accessible directories on a single domain. Access to the C2’s directory now requires a hard-coded username and password, making it more difficult to inspect and stop. This infrastructure previously used Dutch-based IP addresses, but now runs across multiple subdomains.

Researchers also found ELF binaries built from Golang source code. This executable is used to spread malware to other vulnerable targets in a seemingly worm-like manner. Criminals hide this system scanner as a Base64 object embedded within the binary to make detection more difficult.

something evil is coming here

The latest campaign “demonstrates the evolution of many tech-savvy and skilled crowd actors,” Deramott wrote.

“The meticulous attention to detail shows that the attackers have clearly gone through a lot of trial and error. We are improving, which shows a certain level of maturity and skill.”

The SentinelLabs and Permiso study was published by Aqua earlier this month in connection with a “potentially large-scale campaign against cloud-native environments” that researchers Ofek Itach and Assaf Morag laid at the feet of TeamTNT or groups using the same technique. It reflects the content clarified in

They write that their investigation began after they detected an attack on a Jupyter honeypot operated by Aqua, leading to an investigation of container images and Docker Hub accounts. They described the Silentbob campaign as “an offensive attack designed to deploy to public JupyterLab and Docker APIs to deploy Tsunami malware, cloud credential hijacking, resource hijacking, and further infiltration of worms. cloud worm”.

Similar to SentinelLabs, Aqua researchers said it appeared they were considering a trial for a larger operation.

“Given that some functions in the code remain unused and the linked attack pattern suggests manual testing, we theorize that the attacker is in the process of optimizing the algorithm. ‘, they wrote in early July.

“It appears that TeamTNT or a TeamTNT copycat is preparing a campaign. We treat this as an early warning and hopefully try to stop the campaign.”

Aqua and SentinelLabs recommend not deploying Jupyter software without authentication, properly configuring and patching web applications to minimize exploitation, restricting external access to Docker, and restricting Docker permissions It recommends that enterprises protect themselves from such attacks by taking measures such as using the principle of least privilege to container.

