An attacker that’s potentially the TeamTNT cryptojacking group has moved from stealing only AWS cloud credentials to now targeting Microsoft Azure and the Google Cloud Platform.In blogs posted July 13 by SentinelLabs and Permiso, the researchers said the attacker targeted exposed Docker instances to deploy a worm-like propagation module.While these campaigns share similarities with TeamTNT, the researchers said definitive attribution remains challenging because anyone can adapt the code for their own use.According to the SentinelLabs researchers, from June 14 through June 30, they worked with Permiso’s team to track and analyze files related to a new incarnation of this campaign targeting exposed Docker services on Azure and GCP. The SentinelLabs researchers said the hallmark shell scripts remain the core of these campaigns, though they also identified an Executable and Linkable Format (ELF) binary written in Golang. The research team at Aqua also recently reported elements they observed from the abuse of Docker images by these threat actors, and said they strongly believed TeamTNT was involved.
Cloud Security, Identity
TeamTNT linked to stealing credentials for Azure and GCP, as well as AWS

Researchers believe the TeamTNT cryptojacking group is targeting stolen credentials for Google Cloud and Microsoft Azure. (Adobe Stock Images)
An In-Depth Guide to Cloud Security
Get essential knowledge and practical strategies to fortify your cloud security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds