TeamTNT Scans Relentlessly to Compromise Targets

Category: Threat Actor Activity | Industry: Global | Source: AquaSec

Through successful infiltration of TeamTNT's command and control (C2) server, AquaSec researchers Ofek Itach and Assaf Morag have uncovered a highly "aggressive cloud campaign" driven by the relentless scanning capabilities of the threat actor's botnet. Unlike previous TeamTNT campaigns that primarily focused on cryptocurrency mining, the objective of this campaign is to expand its botnet. AquaSec's investigation of the infrastructure revealed that the botnet persistently scans for misconfigurations and exposed services in various platforms, including Kubernetes, Docker, Weave Scope, JupyterLab, Jupyter Notebook, Redis, Hadoop, Tomcat, Nginx, and SSH. According to AquaSec, their research indicates "this botnet perpetually scans the entirety of the internet. Consequently, every IP address undergoes a scan at least once every hour. We discovered that the rate of infection is fairly rapid, with a minimum of two new victims emerging every hour."

To get an idea of the scope of TeamTNT's botnet efficiency, AquaSec conducted a seven-day scan, identifying "196 unique infected hosts. This equates to ~1.3 new victims every hour." TeamTNT's scanning mechanisms are documented with three key stages involving (1) scanning for new targets, (2) dropping their malware and worm to infect the target, and (3) notifying their C2 when the compromised host has been infected. An extensive toolbox of scripts was observed on AquaSec's honeypots displaying TeamTNT's arsenal capable of scanning for additional hosts, changing host configurations, downloading other tools, establishing persistence, stealing credentials, their Tsunami malware which uses the Internet Relay Chat (IRC) protocol for its C2 and much more.

To expand their infection, TeamTNT is focused on gathering credentials "across multiple cloud environments, including AWS, Azure, and GCP. They are not only looking for general credentials but also specific applications such as Grafana, Kubernetes, Docker Compose, Git access, and NPM. Additionally, they are searching for databases and storage systems such as Postgres, AWS S3, Filezilla, and SQLite." Despite a supposed hiatus, TeamTNT appears to have fully emerged back into the threat landscape albeit being less vocal in their exploits on social media. The proficiency in their infrastructure and attack is a warning for organizations to properly configure and secure their cloud instances.