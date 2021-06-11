



Application security, fraud management and cybercrime, identity fraud

June 11, 2021

Palo Alto Networks Unit 42 reports that TeamTNT, a cryptojacking group, is using compromised Amazon web service credentials to attack cloud environments through the platform’s application programming interface.

TeamTNT’s operations have created a new malware called Black-T that targets AWS credentials, targets Kubernetes clusters after being compromised, and integrates open source cloud-native tools to assist in cryptojacking operations. Said the report. Kubernetes is a container orchestration platform developed and supported by Google.

Cybercriminals are trying to identify all identity and access management permissions, Elastic Compute Cloud instances, Simple Storage Service buckets, CloudTrail configurations, and CloudFormation operations granted to compromised AWS credentials. Says.

An AWS spokeswoman told the Information Security Media Group that the reported activity was not an AWS vulnerability. The company lists AWS security best practices and IAM security best practices to help users protect their credentials.

Other cloud-based apps of interest

Evolving cloud-focused cryptojacking operations, this cybercriminal organization has 16 other cloud-based applications such as Google Cloud, Docker, GitHub, Shodan, Ngrok, Pidgin, Filezilla, HexChat, and Project Jupyter. It also targets credentials.

According to Palo Alto’s report, the focus on Google Cloud shows the first known instance of a group of attackers targeting IAM credentials on a cloud instance compromised outside of AWS.

Google Cloud did not respond to ISMG’s request for comment.

In addition, TeamTNT has added the use of open source Kubernetes and the cloud intrusion toolset Peirates to its reconnaissance activities, Palo Alto reports.

When these techniques become available, TeamTNT actors will be able to gather sufficient information in the targeted AWS and Google Cloud environments to perform additional post-exploit operations. This could increase the number of cases of lateral movement and potential privilege escalation attacks that could eventually allow TeamTNT attackers to gain administrative access to the entire organization’s cloud environment, the report said. Stated.

Other exploits

Microsoft Azure, Alibaba Cloud, Oracle Cloud, and IBM Cloud IAM credentials may have been targeted in a similar way, but Palo Alto researchers say no evidence has yet been found to support the proposal. ..

Separately, researchers have identified one of the TeamTNT malware repositories that contains multiple bash scripts designed to perform cryptojacking operations, exploits, lateral movements, and credential scraping operations. A malware repository called Chimaera emphasizes the expansion of TeamTNT’s operational reach in cloud environments and the target set of current and future operations.

In a recent report, Trend Micro states that an attacker was actually scanning and compromised a Kubernetes cluster.

According to the report, more than 50,000 IPs were compromised across multiple clusters between March and May, targeting Internet and cloud service providers in several countries, especially China and the United States.

Defense and prevention

TeamTNT attackers are specifically targeting cloud platforms to evade future security detection tools and embed themselves in the organization’s cloud environment, Palo Alto reports.

Organizations using cloud environments are advised to monitor and block all network connections associated with the TeamTNTs Chimaera repository, as well as past command and control (C2) endpoints. The cloud-native security platform significantly reduces the attack surface of your cloud infrastructure and allows your organization to monitor risk.

