TeamTNT linked to stealing credentials for Azure and GCP, as well as AWS

An attacker that’s potentially the TeamTNT cryptojacking group has moved from stealing only AWS cloud credentials to now targeting Microsoft Azure and the Google Cloud Platform.

In blogs posted July 13 by SentinelLabs and Permiso, the researchers said the attacker targeted exposed Docker instances to deploy a worm-like propagation module.

While these campaigns share similarities with TeamTNT, the researchers said definitive attribution remains challenging because anyone can adapt the code for their own use.

According to the SentinelLabs researchers, from June 14 through June 30, they worked with Permiso’s team to track and analyze files related to a new incarnation of this campaign targeting exposed Docker services on Azure and GCP.

The SentinelLabs researchers said the hallmark shell scripts remain the core of these campaigns, though they also identified an Executable and Linkable Format (ELF) binary written in Golang. The research team at Aqua also recently reported elements they observed from the abuse of Docker images by these threat actors, and said they strongly believed TeamTNT was involved.

Why threat actors are moving to Azure and GCP

Historically, Azure and the Google Cloud Platform (GCP) have been a bit shielded from cyberattacks because these cloud services weren't as popular as AWS, so threat actors weren't attacking them as often, akin to how most viruses attack Windows PCs instead of Macs, said Teresa Rothaar, governance, risk and compliance analyst at Keeper Security. This may have caused some organizations to relax their security on those platforms in the face of fewer threats, said Rothaar.

“However, as organizations increasingly shift to a multi-cloud environment, Azure and GCP are increasing in popularity,” said Rothaar. “As a result, threat actors are increasing their attacks against them. Notice that these threat actors targeted Docker containers, not human users. This highlights the importance of securing not just human credentials, but credentials used by apps and services. Organizations must ensure that their Docker containers are configured properly, so that they’re not exposed on the open internet, and only accessible by the human users, apps and services that absolutely need access to them.”

Timothy Morris, chief security advisor at Tanium, added that the researchers showed that the attackers have upped their game going after cloud credentials. Morris said it’s evident their maturity has increased with better formatting and a modular scripting approach.

“That’s also a tell-tale sign that more is to come, and they will only get better and stealthier,” said Morris. “It’s important that organizations monitor their cloud assets closely. Remember the basics: strong MFA, least privileges, patch as quickly as possible, and ensure all cloud and container instances are properly configured.”