TeamTNT, a notorious hacking group, seems to have made a comeback with a fresh botnet campaign that specifically aims at infiltrating cloud-native environments. Their current focus appears to be infecting systems and testing their capabilities.
Security researchers at Aqua Nautilus have identified the primary targets of this attack, which include:
- Docker and Kubernetes environments
- Redis servers
- Postgres databases
- Hadoop clusters
- Tomcat and Nginx servers
- Weave Scope
- Jupyter applications
They have released a detailed blog providing insights into the campaign.
By gaining access to TeamTNT’s Command Control (C2) server, Aqua Nautilus obtained valuable intelligence about the botnet campaign. The C2 server acts as a central hub to synchronize the botnet and exert additional control over it.
The botnet employs continuous scanning of the internet to locate exposed vulnerabilities in cloud environments, which they can exploit further. Aqua’s analysis using honeypots revealed that every public IPv4 address worldwide is scanned by TeamTNT’s botnet approximately 1.3 times an hour.
Throughout their campaign, TeamTNT utilizes various techniques, including:
- Gaining access to credentials
- Evading defenses
- Escalating privileges
- Establishing backdoors for persistence
- Exploiting misconfigured Docker APIs for initial access
- Exploiting misconfigured Kubernetes clusters
- Scanning AWS, Azure, and GCP for credentials and sensitive information
- Executing malicious commands
By compromising code repositories, build processes, and cloud environments, TeamTNT can inject malicious code, tamper with build artifacts, and gain unauthorized access to sensitive data.
Considering the infrastructure, techniques, and similarities to previous activities, it is highly likely that this campaign can be attributed to the TeamTNT hacking group.