Unmasking TeamTNT: The Infamous Hacker Group’s Latest Cloud-Based Crypto Mining Assaults
to deliver payloads,” warns cybersecurity expert, Jeff Pedersen.
This recent shift in the modus operandi of TeamTNT is a call to immediate security action for organizations leveraging cloud-based resources.
The hacker group, which has been at large since late 2019, has evolved its cyber-attack techniques to a unique level of complexity and sophistication.
Their MO vas evolved from basic cryptojacking attacks towards more intelligent and dynamic attacks targeting Docker and Kubernetes orchestrations systems in cloud environments.
This new strategy exposes potential vulnerabilities for many globally operating companies, illustrating the urgency with which organizations must step up their cyberspace security actions.
The group uses an advanced malware dubbed ‘Sliver’.
This cyber worm leverages Docker daemons vulnerable to remote configuration changes.
The Sliver worm, on compromising the Docker infrastructure, plants a C2 server that communicates with compromised Docker servers to download and execute cryptomining malware.
It also facilitates the download of additional penetration testing tools, port scanners, and other hacking tools.
“Sliver malware acts in a way that has multiple security problems.
Not only does it exploit the Docker API, but it also looks out for other tools to research the internal network of the victim.
This can include ARP scanning, traffic sniffing, etc., posing serious security threats,” explains Pedersen.
Moreover, TeamTNT has taken its activities a step further by renting out breached servers to third-party cybercriminals.
This ‘hacker-for-hire’ scheme could introduce more complex and widespread risks to businesses.
Steps to Countermeasures and Mitigation
Organizations should look at implementing robust security practices that include regular scans, keeping software and systems up-to-date to avoid any exploits, and diligently following access management policies.
Furthermore, monitoring containers and hosts for unusual activities, implementing robust intrusion detection and prevention systems, and container-level segmentation can alleviate these threats.
Regular penetration testing is invaluable for exposing potential vulnerabilities.
Enhanced visibility of third-party applications and restricted network access for containers could significantly limit the potential attack surface.
In a cloud-native environment specifically, the principle of least privilege (POLP), configuring proper security groups, and utilizing protections offered by the cloud service provider can prevent the hijack of resources for cryptomining activities.
Conclusion
As more organizations adopt cloud-native environments, the threat landscape continues to evolve.
The recent developments seen with TeamTNT’s modus operandi exemplify how critical it is for businesses to prioritize cybersecurity and employ proactive defense strategies.
