A cybercriminal group behind a sophisticated cloud-credential stealing and cryptomining campaign has recently expanded its targets beyond Amazon Web Services (AWS) to include Microsoft Azure and Google Cloud Platform (GCP).
Researchers from SentinelOne and Permiso have been tracking the campaign and have found significant similarities between the tools used in this campaign and those associated with the notorious threat actor known as TeamTNT, who is primarily driven by financial motives.
The campaign's broader targeting started in June and has been evolving with incremental refinements since December. The recent attacks on Azure and GCP cloud services involve the same core attack scripts used in the AWS campaign.
However, according to Alex Delamotte, a threat researcher at SentinelOne, the capabilities for Azure and GCP are less developed compared to those for AWS.
TeamTNT is well-known for exploiting cloud misconfigurations and vulnerabilities to target exposed cloud services. Originally focused on cryptomining campaigns, the group has now expanded its activities to include data theft and backdoor deployment.
Recently, the attackers have been targeting exposed Docker services using modified shell scripts capable of profiling systems, searching for credential files, and exfiltrating them. They also collect environment variable details to identify valuable services for potential future attacks.
The attacker's toolset works across different cloud service providers and does not show significant automation for Azure or GCP beyond credential harvesting, indicating that much of the activity may involve manual intervention.
In addition to the shell scripts used in earlier attacks, TeamTNT has started using a UPX-packed, Golang-based ELF binary that drops and executes another shell script for propagating to other vulnerable targets.
This worming propagation mechanism specifically targets Docker instances with certain user-agent versions, which could be hosted on Azure or GCP.
The researchers from SentinelOne and Permiso believe that TeamTNT is currently testing its tools in Azure and GCP environments without pursuing specific objectives on impacted systems. However, organizations using Azure and GCP should remain vigilant, as similar attack frameworks to those used against AWS may be employed against their cloud environments.
Recently, Sysdig also updated a report linking the ScarletEel cloud credential stealing and cryptomining campaign to TeamTNT's activity, further emphasizing the threat posed by this group. To defend against such attacks, administrators are encouraged to collaborate with their red teams to understand the most effective attack frameworks for these cloud platforms.
"Pacu is a known red team favorite for attacking AWS," she says. "We can expect these actors will adopt other successful exploitation frameworks."