Security researchers have warned that the infamous TeamTNT group could be preparing a significant new campaign against cloud-native environments, after spotting a threat actor hunting for misconfigured servers.
Aqua Security launched its investigation after detecting an attack on one of its honeypots. It subsequently found four malicious container images. However, given that some of the code functions remained unused and there appeared to be a degree of manual testing going on, the researchers theorized that the campaign is yet to fully launch.
“This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials hijack, resource hijack and further infestation of the worm,” it claimed.
“We strongly believe that TeamTNT is behind this new campaign.”
Read more on TeamTNT: TeamTNT Attack Highlights the Need for Cloud Governance
TeamTNT is a prolific cybercrime group known for aggressive attacks on cloud-based systems, especially Docker and Kubernetes environments. It specializes in cryptomining, although over time it has evolved to take in other malicious activities.
Although TeamTNT appeared to cease activities back in late 2021, Aqua Security linked the new campaign to the group via the Tsunami malware it commonly used, use of the dAPIpwn function and a C2 server that replies in German.
The researchers haven’t ruled out an “advanced copycat” – although it would have to be a similarly sophisticated group capable of emulating TeamTNT code and which has a “distinct sense of humor” and “affinity for the Dutch language.”
The new threat activity spotted by Aqua Security begins when the threat actor identifies a misconfigured Docker API or JupyterLab server and deploys a container or engages with the Command Line Interface (CLI) to scan for and identify additional victims.
“This process is designed to spread the malware to an increasing number of servers,” the blog post noted. “The secondary payload of this attack includes a cryptominer and a backdoor, the latter employing the Tsunami malware as its weapon of choice.”
Aqua Security posted a list of recommendations to help organizations mitigate the threat.