Cryptomining malware used by cybercrime group TeamTNT has been updated with a new feature that allows it to steal AWS credentials from infected servers. The group has been operating since at least April of this year according to a report by Trend Micro, whose researchers discovered its cryptocurrency miner with a DDoS bot used to attack Docker systems while investigating an open directory containing discovered malicious files. first time by MalwareHunterTeam. TeamTNT scans the Internet for misconfigured Docker APIs that have been left exposed online without a password. When the group finds a vulnerable Docker system, it deploys servers within the facility to launch DDoS attacks and run crypto-mining malware. However, TeamTNT is just one of many cybercrime gangs employing similar tactics to take advantage of organizations whose systems are not properly protected online.
First cryptocurrency, now credentials
According to a new report from British security firm Cado Security, TeamTNT has expanded the scope of its malware to target Kubernetes installations while adding a new feature that scans infected servers for AWS credentials. If an infected Docker or Kubernetes system is running on AWS infrastructure, the group looks for credentials and configuration files from AWS, copies them, and then uploads them to its command and control server. To make matters worse, the ~/.aws/credentials and ~/.aws/config files stolen by TeamTNT are not encrypted and contain clear text credentials and configuration details for the AWS account and infrastructure. of a goal. Fortunately, none of the stolen credentials have yet to be used by the group according to Cabo Security researchers, who sent a collection of Canary credentials to their C&C server that have yet to be used. Team TNT and its cryptomining malware pose a serious threat to organizations, as the group will likely be able to significantly increase their profits by selling the stolen credentials or using them to mine cryptocurrency. additional. Via ZDNet