TeamTNT Targeted Cloud Instances and Containerized Environments For Two Years

Written by

The threat actor known as TeamTNT has been targeting cloud instances and containerized environments on systems around the world for at least two years.

The findings come from CloudSEK security researchers, who posted an advisory on Thursday detailing a timeline of TeamTNT attacks from February 2020 until July 2021.

According to the report, the group’s Github profile contains 25 public repositories, most of which are forks of popular red teaming tools and other repositories possibly utilized by them.

Additionally, the domain spotted by CloudSEK and allegedly associated with TeamTNT was registered on February 10, 2020, the same time period when the team began to target Redis servers actively. 

In these initial campaigns, CloudSEK said the aim of TeamTNT was cryptojacking, as the group deployed a number of tools typically used for these attacks, including pnscan, Tsunami and xmrigCC, among others.

TeamTNT then reportedly started attacking Docker instances in May 2020, mostly using the same cryptojacking-focussed tools but introducing the use of TCP port scanner masscan in conjunction with malicious Alpine images.

Throughout August 2020, the cybercriminal group continued their attacks on Docker, but they started using the Ubuntu images directly instead of Alpine. They also deployed the Linux Kernel Module (LKM) rootkit known as Diamorphine to hide their activities on infected machines.

Months later, they started exploiting Weavescope for troubleshooting and leveraging it as a backdoor, and in January 2021, a report by Lacework Labs suggested TeamTNT was using three new hacking tools targeting Kubernetes: Peirates, Botb, and libprocesshider.

In the second half of 2021, the group’s target list reportedly remained the same, but they expanded their credential-stealing capabilities to additional services and applications, including AWS, Filezilla and GitHub, among others. In July, TeamTNT launched a campaign named ‘Chimaera,’ suggesting the group continued their attacks on Docker, Kubernetes, and Weavescope services.

At the time of writing, the domain associated with TeamTNT is now offline, but the CloudSEK advisory suggested some screenshots of the domain are still available on Wayback Machine.

The security researchers suggested the group most likely originated from Germany because most of the tweets and bash scripts (including comments) are in German, and the account’s location is set to 'Deutschland'.

What’s hot on Infosecurity Magazine?