Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label TeamTNT. Show all posts

AWS, and Alibaba Cloud was Attacked by Crypto Miners

 

An intel source recently provided Cisco Talos with modified versions of the TeamTNT cybercrime team's infected shell scripts, an earlier version of which was documented by Trend Micro. The malware creator modified these tools after learning that security experts had disclosed the prior version of its scripts. These scripts are intended primarily for Amazon Web Services (AWS), but they might also be used on-premise, in containers, or in other Linux instances. 

There are multiple TeamTNT payloads focusing on bitcoin mining, persistence, and lateral movement employing tactics like identifying and installing on with all Kubernetes pods in a local network, in addition to the primary credential stealer scripts. A script containing user credentials for the distribution system server and another with an API key which may allow remote access to a tmate shared login session is also included. Defense evasion functions aimed at defeating Alibaba cloud security technologies are included in some TeamTNT scripts.

When it comes to decision making obtaining credentials, the script looks for them in the following places and APIs: 

  • It attempts to obtain the string 'AWS' from /proc/*/environ from the Linux system environment variables. 
  • Obtaining the string 'AWS' from Docker environment variables with the command $(docker inspect $) (docker ps -q).
  • /home/.aws/credentials and /root/.aws/credentials are the default AWS CLI credential file locations.
While the query itself will not be caught by Cisco Secure Cloud Analytics, the alert "AWS Temporary Token Persistence" will detect later use of these credentials to generate further temporary credentials. Finally, the virus saves any credentials acquired by the preceding functions to the file "/var/tmp/TeamTNT AWS STEALER.txt" and uses cURL to transfer it to the URL http://chimaera[.]cc/in/AWS.php before deleting it. 

No CloudTrail, GuardDuty, or SCA events were generated when the script ran on the target EC2 instance for all network traffic was restricted by the VPC Security Group such as the script could not access TeamTNT's servers. 

The core of the defense impairment functions is directed against Alibaba Cloud Security's numerous agents, how, they also target Tencent Cloud Monitor and third-party BMC Helix Cloud Security, agents. While the bulk of malicious scripts targets AWS Elastic Compute Cloud (EC2) virtual machines, these bots are most typically detected running inside Alibaba Cloud Elastic Compute Service (ECS) or a Tencent Cloud VM. They could theoretically be put on a VM operating on AWS or any other service, but it would be unusual. TeamTNT makes no attempt to disable AWS CloudWatch, Microsoft Defender, Google Cloud Monitor, Cisco Secure Cloud Analytics, CrowdStrike Falcon, Palo Alto Prisma Cloud, or other popular cloud security tools in the United States. 

The Alibaba defense damage routines have been retrieved and saved here from the script Kubernetes root payload 2.sh. Since static analysis of the defense impairment functions is problematic due to the presence of multiple Base64 encoded strings, those functions have been decrypted and placed back into the file ali-defense-impairment-base64-decoded.sh.txt. 

"Cybercriminals who have been exposed by security researchers should update those tools to keep functioning successfully," stated Darin Smith of Talos. 

The serious remote code execution problem in Spring Framework (CVE-2022-22965) has been leveraged to deploy cryptocurrency miners, in yet another example of how threat actors quickly co-opt recently revealed flaws into existing attacks. To deploy the cryptocurrency miners, the exploitation efforts employ a unique web shell, but not before switching off the firewall and disabling other virtual currency miner processes.

Chimaera Toolkit Found on Thousands of Windows and Linux Systems Worldwide

 

AT&T's Alien Labs security branch has raised the alarm about a TeamTNT malware campaign that has gone almost totally undiscovered by anti-virus systems and is converting target machines into bitcoin miners, according to the company. TeamTNT, dubbed "one of the most active threat organizations since 2020" by Alien Labs researcher Ofer Caspi, is notorious for its exploitation - and misuse - of open-source security tools for anything from identifying susceptible targets to dumping remote-control shells. 

Last year, TeamTNT was discovered and linked to bitcoin mining malware being installed on susceptible Docker containers. Trend Micro discovered that the organization tries to steal AWS credentials in order to spread to other servers, while Cado Security discovered TeamTNT targeting Kubernetes installations more recently. 

The port scanner Masscan, libprocesshider software for running the TeamTNT bot from memory, 7z for file decompression, the b374k shell php panel for system control, and Lazagne are among TeamTNT's open-source tools. 

Palo Alto Networks' Unit 42 found Chimaera, a software repository that "highlights the expanding scope of TeamTNT operations within cloud environments as well as a target set for current and future operations," according to the company.

Now, AT&T's Alien Labs has shed additional light on Chimaera, claiming that it has been in use since July and is "responsible for thousands of infections globally" across Windows, Linux, AWS, Docker, and Kubernetes targets, all while eluding detection by anti-virus and anti-malware programmes. 

The usage of Lazagne, an open-source application developed with one goal in mind: collecting credentials from major browsers, is a significant element of the Chimaera toolkit. Another programme tries to find and exfiltrate Amazon Web Services (AWS) credentials, while an IRC bot serves as a command and control server.

"In this case, most of the used files that are placed on disk at some point lack a clear malicious purpose by themselves," Caspi told of the reason the malware could go undetected for so long. "The malicious processes injected into memory without touching the disk are harder to identify if they don't share indicators with previous malicious activity or perform any clearly malevolent activity." 

TeamTNT's primary objective is to mine Monero, a privacy-focused cryptocurrency, on victim hardware rather than harvesting credentials. "Mining cryptocurrency has always been TeamTNT's major goal," Caspi stated.

TeamTNT Targeting Organizations Via Cryptojacking Malware

 

A cybercriminal gang known as TeamTNT has been ramping up its cloud-focused cryptojacking operations for some time now. TeamTNT operations have targeted Kubernetes clusters due to their wide usage and are an attractive target for threat actors running primarily in cloud environments with access to nearly infinite resources.

Attackers have also designed new malware called Black-T that unites open-source cloud-native tools to assist in their cryptojacking operations. Once getting a foothold into a Kubernetes cluster, the malware attempted to spread over as many containers as possible, leading to malicious activity. 

Palo Alto’s Unit 42 researchers have discovered and confirmed close to 50,000 IPs compromised by this malicious campaign perpetrated by TeamTNT across multiple clusters. Several IPs were repeatedly exploited during the timeframe of the episode, occurring between March and May. Most of the compromised nodes were from China and the US — identified in the ISP (Internet Service Provider) list, which had Chinese and US-based providers as the highest hits, including some CSPs (Cloud Service Providers)

TeamTNT has gathered 6.52012192 Monero coins via a cryptojacking campaign, which is equal to USD 1,788. The mining operation was found to be operating at an average speed of 77.7KH/s across eight mining workers. Operations using this Monero wallet address have continued for 114 days and are still operating. 

The researchers said TeamTNT’s new campaign is the most sophisticated malware Unit 42 has seen from this gang. They said on this round the threat actor developed more sophisticated tactics for initial access, execution, defense evasion, and command and control. Although the malware is still under development and the campaign has not spread widely, Unit 42 believes the attacker will soon improve the tools and start a large-scale deployment. 

Team TNT has stolen the credentials of 16 applications, including those of AWS and Google Cloud credentials, which may be stored on the compromised cloud instance if downloaded. The presence of Google Cloud credentials being targeted for collections represents the first known instance of an attacker group targeting IAM credentials on compromised cloud instances outside of AWS. 

Researchers believe that Microsoft Azure, Alibaba Cloud, Oracle Cloud, or IBM Cloud IAM credentials could be targeted using similar methods. Unit 42 researchers are yet to find evidence of credentials from these cloud service providers (CSPs) being targeted. TeamTNT first started collecting AWS credentials on cloud instances they had compromised as early as August 2020.

TeamTNT: New Credential Harvester Targets Cloud Services and other Software

 

Secrets must be kept confidential in order for networks to be protected and supply-chain attacks to be avoided. Malicious actors frequently target secrets in storage mechanisms and harvest credentials from systems that have been compromised. DevOps software often stores credentials in plain text that is accessible even without user intervention, posing a significant security risk. 

When inside a victim's device, malicious actors have been known to steal cloud service provider (CSP) credentials. For example, the cybercriminal group TeamTNT is no stranger to attacking cloud containers, expanding their arsenal to steal cloud credentials, and experimenting with new environments and intrusive activities. 

Trend Micro discovered new evidence that TeamTNT has expanded its credential harvesting capabilities to threaten numerous cloud and non-cloud services in victims' internal networks and systems post-compromise in the group's most recent attack routine. 

The malware created by TeamTNT is designed to steal credentials from specific applications and services. It infects Linux machines with vulnerabilities such as exposed private keys and recycled passwords, and it focuses on looking for cloud-related data on infected devices. 

Cloud misconfigurations and repeated passwords, as in the group's other attacks, make it easy to gain access to a victim's device. To gain access to other systems, the community harvests credentials for Secure Shell (SSH) and Server Message Block (SMB), as before. Both intrusion strategies have the ability to disperse their payloads in a worm-like manner. 

The malware searches for app configurations and data based on a search list when running through the linked devices, and sends them to the command-and-control (C&C) server, using a.netrc file to automatically log in using the harvested credentials. Comparing the harvester with the group’s previous versions, Trend Micro saw a significant increase in targets. 

Since TeamTNT's payloads are focused on illegal Monero mining, it's no surprise that the malware searches the infected system for Monero configuration data. The malware looks for Monero wallets on all devices that the group has access to. The malware attempts to remove all traces of itself from the infected device at the end of its routine. According to research, it strongly suggests that this is not being achieved effectively. Although the command "history -c" clears the Bash history, some commands continue to run and leave traces on other sections of the device. 

Malicious actors deliberately search internal networks and systems for legitimate users' credentials in order to facilitate their post-intrusion activities. They could use the cloud services paid for by legitimate organizations for other malicious purposes if they have CSP credentials. 

Furthermore, plaintext credentials are a gold mine for cybercriminals, particularly when used in subsequent attacks. Vulnerabilities, especially those in unpatched and otherwise unsecured internet-facing systems, are the same. 

Customers are advised to use the hidden vaults provided by their CSPs and adopt these best practices to minimize the risks of this TeamTNT routine and other related threats: 
1.Adopt the collective responsibility model and enforce the concept of least privilege. 
2.Replace default credentials with strong and stable passwords and make sure that the security settings of various systems environments are personalized to the needs of the company. 
3.Avoid storing passwords in plain text and use multifactor authentication.