TeamTNT Cloud Cryptojacking Threats to Cloud Security

Technology Cloud Security, Cyber Attack Prevention, Cyber Awareness Training, Cyber Resilience Sardar Umar October 29, 2024 0 Comments

Unmasking the TeamTNT Cloud Cryptojacking Threat: Deep Dive into Advanced Tactics Against Cloud Environments

Once again, the TeamTNT Cloud Cryptojacking threat is back with a number of advancements to its attacks on cloud native infrastructures. While best known for their disruptive cryptojacking tactics, the TeamTNT hacker group is continuing to exploit cloud vulnerabilities resulting in so many compromised systems, they are turned into cryptocurrency mining machines. In this detailed exploration, we’ll see how the strategies and methods for TeamTNT’s latest attack campaigns, and growing sophistication of such attacks succeeding in the increasing number of cloud ecosystems.

Table of Contents

What Is TeamTNT Cloud Cryptojacking Threat?

Originally making the rounds in the cybersecurity space in 2020, then known as TeamTNT, it hit the scene with some major name, becoming notorious for cryptojacking attacks that target Docker/Kubernetes environments. TeamTNT isn’t looking to steal data or ransom your system — instead, their primary aim is to do some cryptojacking in the cloud. Such an attack gives them the ability to use compromised cloud systems for mining the privacy focused coin, Monero.
Their attacks are very explosive — very disruptive — and that’s what the name means, “Team TNT” is. This group continues to refine their tactics and as it does, TeamTNT Cloud Cryptojacking Threat is one of the most persistent and evolving threats to cloud infrastructure today.

How TeamTNT Cloud Cryptojacking Works

TeamTNT’s Tactics, Techniques and Procedures (TTPs)

TeamTNT Cloud Cryptojacking Threat: exploits a host of weakness in the cloud. Their primary attack techniques include:
Cryptojacking and Monero Mining: Process power of compromised systems is leveraged by TeamTNT, who mine Monero (XMR) — a cryptocurrency known for its privacy features.
Exploitation of Cloud Misconfigurations: They’ve established themselves as exploiters of misconfigured Docker APIs and other vulnerable cloud services.
Custom Malware and Rootkits: To be persistent and evade detection TeamTNT uses open source rootkits based on *Diamorphine*.
Targeting Kubernetes and Orchestration Tools: TeamTNT can enter as an easy entry point is through weak authentication in Kubernetes clusters.
Automated Exploitation via Scanning Tools: TeamTNT find exposed Docker daemons and other endpoints with minimum security using tools like masscan and ZGrab enabling them to get maximum foothold rapidly

Expanding Influence: TeamTNT Cloud Cryptojacking Threat in Cloud Ecosystems

Further investigation on the TeamTNT Cloud Cryptojacking Threat – targeting Docker Daemons

The core part of their attack strategy is still focused on Docker daemons. Exposed Docker APIs with misconfigurations make these endpoints susceptible to TeamTNT accessing.

Mass Scanning with Tools: masscan and ZGrab are used to scan the IPs of around 16.7 million IP addresses by our TeamTNT, looking for vulnerable Docker daemons.
Specific Ports: The main thing they do is target Docker API ports such as 2375, 2376, 4243, and 4244 — by default, these ports are often left unprotected.
Trojanized Docker Containers: If they see the daemon has an exposed port, they push a seemingly benign container image (usually based on *Alpine Linux*) that contains shell scripts that will give them a foothold on the server.

The Alpine Linux Trojan: TeamTNT Cloud Cryptojacking: New Attack Vectors

The TeamTNT Cloud Cryptojacking Threat initial attack vector uses the Alpine Linux Trojan. This payload is being used by TeamTNT to give them remote access and the ability to keep persistence on infected systems without being detected instantly. Once deployed, the Alpine Linux image Trojan spies on your system data to be used for future exploitation.

TeamTNT Cloud Cryptojacking Threat: Introducing the Docker Gatling Gun (TDGGinit.sh)

TheDocker Gatling Gun (TDGGinit.sh) is one of the newest TeamTNT Cloud Cryptojacking Threat common, weapon of choice. A lot of changes in their cryptojacking strategy occurred through this automated script.

You Can Also Read: Critical Wi-Fi Security Flaw Exposes Routers to Remote Code Execution: A Deep Dive into CVE-2024-41992

The key functions of TDGGinit.sh in the TeamTNT Cloud Cryptojacking attack covers the following

Relay Display Employers: The relay function relays the payment addresses of the members of a panel to the people who have been affected by the program in an attempt to trick them into accepting the payment.

Verify payment process: The verify function performs the task of verifying that the payment actually is their payment.
The Docker Gatling Gun script is designed to:

Maintain Persistence: Allows for the compromised system to undergo continuous access.
Install Additional Malware: Futher runs more malicious software such as keyloggers, data exfiltration tools.
Collect System Data: It provides valuable system information enabling TeamTNT to refine its exploitation efforts.
Establish Secure Command-and-Control Channels: It encrypts its protocols for use with TeamTNT’s servers, making it harder for security systems to see.

Command-and-Control (C2) Evolution in the TeamTNT Cloud Cryptojacking Threat: Tsunami to Sliver

In tactical upgrade TeamTNT has ditched the Tsunami backdoor for the open source C2 framework Sliver. The switch gives the group control over the compromised system, and a way to customize and improve that control.

Increased Flexibility: Sliver is built in modules which facilitate streamlined command execution and data exfiltration.
Continuous Development: Sliver is an open source tool meaning it is constantly upgraded and updated with regular updates so it always stays at the cutting edge of anti-detection techniques.
Enhanced Evasion: Security software can be less successful at detecting malicious activity, since Sliver’s encryption and obfuscation mechanisms.

Monetization Tactics in the TeamTNT Cloud Cryptojacking Threat: Beyond Cryptojacking

TeamTNT Cloud Cryptojacking Threat While Cryptojacking has been rebranded to increase profitability and decrease operational overhead.

TeamTNT Cloud Cryptojacking Threat — Cryptocurrency Mining and Infrastructure Rental.

Still, Monero mining is a core activity and TeamTNT now pays computational power from the compromised systems on such platforms as *Mining Rig Rentals*. This diversification provides multiple revenue streams:

Infrastructure Rental for Profit: During peak cryptocurrency price fluctuations, renting out resources from an infected system can actually pay more than mining.
Collaboration with Other Cybercriminals: TeamTNT earns alliances by giving out resources to other actors, and the more there are, the bigger their reach, and the more capabilities they have.

The Prometei Botnet: Another Parallel Threat to the TeamTNT Cloud Cryptojacking Threat

In the cryptojacking landscape, TeamTNT is king, but other threats, like the Prometei botnet, also attack cloud systems. Cloud security challenges are equally significant in the case of Prometei, who uses different techniques but covers the same problem.

List of Prometei’s Attack Techniques [ také programovatelné ]

RDP and SMB Exploits: RDP and SMB are the services on which Prometei capitalizes on vulnerabilities.
Persistence Across Reboots: The malware created by Prometei is highly specialized to keep malware active even after system reboots.
Lateral Movement: Additional network systems on the attack surface are infected by Prometei.
Monero Mining for Profit: Prometei, not unlike TeamTNT, employs compromised resources for mining Monero, while attempting to cover their tracks using the privacy focused cryptocurrency.

Implications for Cloud Security: Why a Proactive Approach is Needed

Cloud security remains terribly vulnerable to the TeamTNT Cloud Cryptojacking Threat, and threats such as Prometei.
API Security: These are both times where the point couldn’t be more clear: API endpoints must be secured with strong authentication.
Container Security: The need for containerized scanning and runtime security is communicated with the focus on malicious images and containers.
Open-Source Tool Awareness: Open Source tools like Sliver need to be a constant on the radar for security teams.

TeamTNT Cloud Cryptojacking Threat: Key Security Recommendations

To mitigate the TeamTNT Cloud Cryptojacking Threat, organizations should prioritize these security measures:
Enforce API Security: API endpoints should have strong access controls you don’t want to risk leaving without.
Implement Network Segmentation: Prevent containerized environments from speaking to networks other than those they should.
Deploy Continuous Monitoring: Detect abnormal behavior, resource spikes, and unauthorized change of resource in real time using tools.
Perform Regular Cloud Audits: Auditing cloud configurations and container deployments is something you do often to look for potential vulnerabilities.
Prioritize Timely Patch Management: Always keep their systems updated to cover known security weakness.
Employee Training and Awareness: Teach employees about cryptojacking risks and cloud security good practices..

Conclusion: Tactical Response: Coping and adapting with the Cloud Cryptojacking threat TeamTNT

TeamTNT Cloud Cryptojacking Threat demonstrates the importance of security in cloud. However, TeamTNT still continues the innovations and so organizations will need to adapt their security strategy to fight these evolving threats. Businesses can help protect infrastructure and be more resilient to attack when working across security teams, sharing threat intelligence and taking proactive cloud security measures.

For more content we’ve posted, follow us on LinkedIn.