A new cloud credential stealing campaign has been discovered, targeting Azure and Google Cloud Platform (GCP) services. The campaign shares similarities with the TeamTNT cryptojacking group, but experts are not fully confident of their attribution.

Diving into details

The ongoing attacks specifically target public-facing Docker instances, deploying a propagation module that resembles a worm. These attacks are part of a larger intrusion set that previously focused on Jupyter Notebooks in December 2022. 
  • Between June 15, 2023, and July 11, 2023, researchers discovered up to eight new versions of the credential harvesting script, indicating an actively evolving campaign.
  • The latest iterations of the malware have been designed to gather credentials from various sources, including AWS, Azure, Google Cloud Platform, Censys, Docker, Filezilla, Git, Grafana, Kubernetes, Linux, Ngrok, PostgreSQL, Redis, S3QL, and SMB.
 

Attribution 

  • According to SentinelOne, the methods used to collect credentials and the targeted files show similarities to a previous Kubelet-targeting campaign conducted by TeamTNT in September 2022.
  • Additionally, these attacks align with an ongoing TeamTNT campaign known as Silentbob, which exploits misconfigured cloud services to distribute malware as part of a testing initiative. 
  • However, experts also suspect a connection with SCARLETEEL owing to a similarity in attack infrastructure. A significant piece of evidence linking these campaigns is that the SCARLETEEL 2.0 campaign involved a cryptocurrency miner utilizing the same Monero wallet address.

This suggests a strong connection between the campaigns. However, it is acknowledged that there are challenges in definitively attributing these activities to TeamTNT due to variations in TTPs, despite the existence of shared infrastructure.

The bottom line

This campaign highlights the growth of an experienced cloud actor with knowledge across multiple technologies. While AWS has traditionally been a prime target for such actors, the inclusion of Azure and GCP credentials suggests other valuable data sources. Restricting Docker access based on organizational requirements and minimizing exposure to external connections will help reduce risks.
Cyware Publisher

Publisher

Cyware