The frequent targeting of cloud and container environments are indicative of a vast attack surface for cybercriminals. Recently, Cado Security researchers found a first-ever crypto-mining worm dubbed ‘TeamTNT’ containing Amazon Web Services (AWS) specific functionality. A crypto-mining botnet is stealing AWS credentials from infected servers.
What happened? – A series of events
Active since April 2020, TeamTNT updated its mode of operation in mid-August.
- TeamTNT added a new data-stealing feature that enables attackers to scan and steal AWS credentials. It is the first botnet malware that is known to scan and steal AWS credentials.
- The worm also steals local credentials and scans the internet for misconfigured Docker systems.
- So far, attackers have compromised many Docker and Kubernetes systems along with Kubernetes clusters and Jenkins build servers.
Security firm Cado Security said that the TeamTNT botnet targets misconfigures Docker and Kubernetes systems running on top of AWS servers, and then scans the underlying infected servers for any hard-coded AWS credentials. The malware, which installs Monero cryptominers on the infected systems, has been actively targeting Docker installations since April.
Tips from researchers
While the attacks aren’t particularly sophisticated, the numerous groups out there deploying crypto-jacking worms are successful in infecting large amounts of business systems. Below are some suggestions shared by Cado Security Researchers:
- Identify which systems are storing AWS credential files and delete them if they aren’t needed. It is common to find that development credentials have accidentally been left on production systems.
- Use firewall rules to limit any access to Docker APIs. They strongly recommend using a whitelisted approach for your firewall ruleset.
- Review network traffic for any connections to mining pools, or using the Stratum mining protocol.
- Review any connections sending the AWS Credentials file over HTTP.
As more businesses embrace cloud and container environments, it has opened up a new attack surface for cybercriminals via misconfiguration. That being said, cryptomining threats targeting Docker and Kubernetes aren’t new. Attackers are always searching publicly accessible, open Docker/Kubernetes servers in an automated fashion. The attackers then exploit them in order to set up their own containers and execute malware on victim’s infrastructure.