Safety researchers have warned that the notorious TeamTNT group might be making ready a major new marketing campaign in opposition to cloud-native environments, after recognizing a menace actor attempting to find misconfigured servers.
Aqua Safety launched its investigation after detecting an assault on one among its honeypots. It subsequently discovered 4 malicious container photographs. Nonetheless, provided that a few of the code features remained unused and there appeared to be a level of handbook testing occurring, the researchers theorized that the marketing campaign is but to completely launch.
“This infrastructure is in early phases of testing and deployment, and is especially constant of an aggressive cloud worm, designed to deploy on uncovered JupyterLab and Docker APIs with a purpose to deploy Tsunami malware, cloud credentials hijack, useful resource hijack and additional infestation of the worm,” it claimed.
“We strongly consider that TeamTNT is behind this new marketing campaign.”
Learn extra on TeamTNT: TeamTNT Assault Highlights the Want for Cloud Governance
TeamTNT is a prolific cybercrime group identified for aggressive assaults on cloud-based techniques, particularly Docker and Kubernetes environments. It focuses on cryptomining, though over time it has developed to absorb different malicious actions.
Though TeamTNT appeared to stop actions again in late 2021, Aqua Safety linked the brand new marketing campaign to the group by way of the Tsunami malware it generally used, use of the dAPIpwn operate and a C2 server that replies in German.
The researchers haven’t dominated out an “superior copycat” – though it must be a equally subtle group able to emulating TeamTNT code and which has a “distinct humorousness” and “affinity for the Dutch language.”
The brand new menace exercise noticed by Aqua Safety begins when the menace actor identifies a misconfigured Docker API or JupyterLab server and deploys a container or engages with the Command Line Interface (CLI) to scan for and establish further victims.
“This course of is designed to unfold the malware to an growing variety of servers,” the weblog submit famous. “The secondary payload of this assault features a cryptominer and a backdoor, the latter using the Tsunami malware as its weapon of selection.”
Aqua Safety posted a listing of suggestions to assist organizations mitigate the menace.
