TeamTNT: A Persistent Threat to Cloud Environments
For over two years, the threat actor known as TeamTNT has been actively targeting cloud instances and containerized environments worldwide. CloudSEK security researchers recently released an advisory outlining the timeline of TeamTNT attacks, spanning from February 2020 to July 2021.
Timeline of Attacks
According to the report, TeamTNT’s Github profile showcases 25 public repositories, many of which are forks of popular red teaming tools. The group’s domain, registered in February 2020, aligns with their initial focus on targeting Redis servers for cryptojacking purposes.
Initially, TeamTNT deployed tools such as pnscan, Tsunami, and xmrigCC for cryptojacking campaigns. By May 2020, the group shifted their focus to Docker instances, utilizing TCP port scanner masscan alongside malicious Alpine images.
As their attacks evolved, TeamTNT began using Ubuntu images and the Linux Kernel Module (LKM) rootkit Diamorphine to conceal their activities. They also exploited Weavescope for troubleshooting, leveraging it as a backdoor, and in early 2021, introduced new hacking tools targeting Kubernetes.
Expansion of Targets
Throughout the latter half of 2021, TeamTNT expanded their target list to include additional services and applications such as AWS, Filezilla, and GitHub. Their ‘Chimaera’ campaign in July reaffirmed their focus on Docker, Kubernetes, and Weavescope services.
Current Status
While the domain associated with TeamTNT is currently offline, remnants of their activities can still be accessed through the Wayback Machine. CloudSEK researchers suggest that the group likely originated from Germany based on the language and location settings observed in their tweets and bash scripts.
TeamTNT’s persistent attacks on cloud environments serve as a reminder of the ongoing threat posed by sophisticated cybercriminal groups. Organizations are urged to remain vigilant and implement robust security measures to safeguard their cloud instances and containerized environments from potential breaches.