The threat actor known as TeamTNT has been targeting cloud scenarios and containerized environments on programs around the globe for at the very least two several years.
The findings arrive from CloudSEK security scientists, who posted an advisory on Thursday detailing a timeline of TeamTNT attacks from February 2020 right until July 2021.
In accordance to the report, the group’s Github profile includes 25 general public repositories, most of which are forks of well-known crimson teaming instruments and other repositories possibly utilized by them.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Also, the area spotted by CloudSEK and allegedly connected with TeamTNT was registered on February 10, 2020, the exact time period of time when the crew started to focus on Redis servers actively.
In these preliminary campaigns, CloudSEK reported the goal of TeamTNT was cryptojacking, as the team deployed a amount of applications ordinarily employed for these attacks, together with pnscan, Tsunami and xmrigCC, between many others.
TeamTNT then reportedly begun attacking Docker occasions in May perhaps 2020, typically employing the same cryptojacking-focussed resources but introducing the use of TCP port scanner masscan in conjunction with destructive Alpine illustrations or photos.
In the course of August 2020, the cybercriminal group continued their attacks on Docker, but they started out making use of the Ubuntu photographs right rather of Alpine. They also deployed the Linux Kernel Module (LKM) rootkit recognised as Diamorphine to hide their functions on infected equipment.
Months later on, they commenced exploiting Weavescope for troubleshooting and leveraging it as a backdoor, and in January 2021, a report by Lacework Labs recommended TeamTNT was employing 3 new hacking instruments focusing on Kubernetes: Peirates, Botb, and libprocesshider.
In the 2nd half of 2021, the group’s concentrate on listing reportedly remained the identical, but they expanded their credential-thieving abilities to supplemental companies and purposes, together with AWS, Filezilla and GitHub, between other people. In July, TeamTNT introduced a marketing campaign named ‘Chimaera,’ suggesting the team continued their attacks on Docker, Kubernetes, and Weavescope solutions.
At the time of writing, the domain involved with TeamTNT is now offline, but the CloudSEK advisory instructed some screenshots of the domain are however out there on Wayback Device.
The security scientists prompt the group most possible originated from Germany since most of the tweets and bash scripts (including feedback) are in German, and the account’s place is set to ‘Deutschland’.
Some pieces of this report are sourced from:
www.infosecurity-magazine.com