5.9 C
United States of America
Monday, November 25, 2024

Infamous Hacker Group TeamTNT Launches New Cloud Assaults for Crypto Mining


Oct 26, 2024Ravie LakshmananCloud Safety / Cryptocurrency

Infamous Hacker Group TeamTNT Launches New Cloud Assaults for Crypto Mining

The notorious cryptojacking group referred to as TeamTNT seems to be readying for a brand new large-scale marketing campaign concentrating on cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties.

“The group is at present concentrating on uncovered Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, utilizing compromised servers and Docker Hub because the infrastructure to unfold their malware,” Assaf Morag, director of risk intelligence at cloud safety agency Aqua, stated in a report revealed Friday.

The assault exercise is as soon as once more a testomony to the risk actor’s persistence and its capability to evolve its ways and mounting multi-stage assaults with the purpose of compromising Docker environments and enlisting them right into a Docker Swarm.

Cybersecurity

Moreover utilizing Docker Hub to host and distribute their malicious payloads, TeamTNT has been noticed providing the victims’ computational energy to different events for illicit cryptocurrency mining, diversifying its monetization technique.

Rumblings of the assault marketing campaign emerged earlier this month when Datadog disclosed malicious makes an attempt to corral contaminated Docker cases right into a Docker Swarm, alluding it could possibly be the work of TeamTNT, whereas additionally stopping wanting making a proper attribution. However the full extent of the operation hasn’t been clear, till now.

Morag instructed The Hacker Information that Datadog “discovered the infrastructure in a really early stage” and that their discovery “compelled the risk actor to vary the marketing campaign a bit.”

Cloud Attacks for Crypto Mining

The assaults entail figuring out unauthenticated and uncovered Docker API endpoints utilizing masscan and ZGrab and utilizing them for cryptominer deployment and promoting the compromised infrastructure to others on a mining rental platform referred to as Mining Rig Leases, successfully offloading the job of getting to handle them themselves, an indication of the maturation of the illicit enterprise mannequin.

Particularly, that is carried out by way of an assault script that scans for Docker daemons on ports 2375, 2376, 4243, and 4244 throughout practically 16.7 million IP addresses. It subsequently deploys a container working an Alpine Linux picture with malicious instructions.

The picture, retrieved from a compromised Docker Hub account (“nmlm99”) beneath their management, additionally executes an preliminary shell script named the Docker Gatling Gun (“TDGGinit.sh”) to launch post-exploitation actions.

One notable change noticed by Aqua is the shift away from the Tsunami backdoor to the open-source Sliver command-and-control (C2) framework for remotely commandeering the contaminated servers.

“Moreover, TeamTNT continues to make use of their established naming conventions, equivalent to Chimaera, TDGG, and bioset (for C2 operations), which reinforces the concept that this can be a basic TeamTNT marketing campaign,” Morag stated.

Cybersecurity

“On this marketing campaign TeamTNT can be utilizing anondns (AnonDNS or Nameless DNS is an idea or service designed to offer anonymity and privateness when resolving DNS queries), with the intention to level to their internet server.”

The findings come as Development Micro make clear a brand new marketing campaign that concerned a focused brute-force assault towards an unnamed buyer to ship the Prometei crypto mining botnet.

“Prometei spreads within the system by exploiting vulnerabilities in Distant Desktop Protocol (RDP) and Server Message Block (SMB),” the corporate stated, highlighting the risk actor’s efforts on organising persistence, evading safety instruments, and gaining deeper entry to a company’s community by way of credential dumping and lateral motion.

“The affected machines hook up with a mining pool server which can be utilized to mine cryptocurrencies (Monero) on compromised machines with out the sufferer’s information.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.



Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles