• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
teamtnt's cloud credential stealing campaign now targets azure and google

TeamTNT’s Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud

You are here: Home / General Cyber Security News / TeamTNT’s Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud
July 14, 2023

A malicious actor has been linked to a cloud credential thieving marketing campaign in June 2023 that is centered on Azure and Google Cloud Platform (GCP) products and services, marking the adversary’s enlargement in focusing on beyond Amazon Web Solutions (AWS).

The conclusions appear from SentinelOne and Permiso, which explained the “strategies share similarity with resources attributed to the infamous TeamTNT cryptojacking crew,” even though it emphasized that “attribution stays tough with script-based tools.”

They also overlap with an ongoing TeamTNT marketing campaign disclosed by Aqua identified as Silentbob that leverages misconfigured cloud providers to drop malware as portion of what is claimed to be a screening hard work, whilst also linking SCARLETEEL attacks to the threat actor, citing infrastructure commonalities.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


“TeamTNT is scanning for credentials throughout a number of cloud environments, which include AWS, Azure, and GCP,” Aqua noted.

The attacks, which solitary out general public-dealing with Docker occasions to deploy a worm-like propagation module, are a continuation of an intrusion established that beforehand qualified Jupyter Notebooks in December 2022.

Azure and Google Cloud

As several as 8 incremental versions of the credential harvesting script have been discovered in between June 15, 2023, and July 11, 2023, indicating an actively evolving marketing campaign.

The more recent versions of the malware are made to assemble qualifications from AWS, Azure, Google Cloud System, Censys, Docker, Filezilla, Git, Grafana, Kubernetes, Linux, Ngrok, PostgreSQL, Redis, S3QL, and SMB. The harvested credentials are then exfiltrated to a distant server less than the menace actor’s management.

Future WEBINARShield In opposition to Insider Threats: Master SaaS Security Posture Management

Nervous about insider threats? We have bought you included! Sign up for this webinar to investigate practical methods and the insider secrets of proactive security with SaaS Security Posture Administration.

Be a part of Right now

SentinelOne reported the qualifications assortment logic and the files specific bears similarities to a Kubelet-focusing on campaign carried out by TeamTNT in September 2022.

Along with the shell script malware, the threat actor has also been noticed distributing a Golang-centered ELF binary that functions as a scanner to propagate the malware to vulnerable targets. The binary further more drops a Golang network scanning utility called Zgrab.

“This campaign demonstrates the evolution of a seasoned cloud actor with familiarity across lots of technologies,” security scientists Alex Delamotte, Ian Ahl, and Daniel Bohannon claimed. “The meticulous awareness to depth implies the actor has clearly expert lots of demo and mistake.”

“This actor is actively tuning and improving their equipment. Dependent on the tweaks observed across the past various months, the actor is probably getting ready for larger sized scale strategies.”

Located this write-up exciting? Abide by us on Twitter  and LinkedIn to study much more special content material we write-up.


Some areas of this posting are sourced from:
thehackernews.com

Previous Post: «new soho router botnet avrecon spreads to 70,000 devices across New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries
Next Post: AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plain Text aios wordpress plugin faces backlash for storing user passwords in»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • New HTTPBot Botnet Launches 200+ Precision DDoS Attacks on Gaming and Tech Sectors
  • Top 10 Best Practices for Effective Data Protection
  • Researchers Expose New Intel CPU Flaws Enabling Memory Leaks and Spectre v2 Attacks
  • Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks
  • [Webinar] From Code to Cloud to SOC: Learn a Smarter Way to Defend Modern Applications
  • Meta to Train AI on E.U. User Data From May 27 Without Consent; Noyb Threatens Lawsuit
  • Coinbase Agents Bribed, Data of ~1% Users Leaked; $20M Extortion Attempt Fails
  • Pen Testing for Compliance Only? It’s Time to Change Your Approach
  • 5 BCDR Essentials for Effective Ransomware Defense
  • Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers

Copyright © TheCyberSecurity.News, All Rights Reserved.