Heimdal
article featured image

Contents:

In June 2023, a threat actor was linked to a cloud credential stealing campaign that targeted Microsoft Azure and Google Cloud Platform (GCP) services, expanding the adversary’s scope of attack beyond Amazon Web Services (AWS).

After conducting investigations, security researchers found out that the campaign shares similarity with tools attributed to the notorious TeamTNT crypto jacking crew.

They also overlap with TeamTNT’s ongoing Silentbob campaign, which Aqua recently made public. Silentbob uses erroneously configured cloud services to distribute malware as part of what is allegedly a testing operation, and SCARLETEEL attacks are linked to the threat actor due to the same infrastructure.

Aqua noted that TeamTNT is scanning for credentials across multiple cloud environments, including AWS, Azure, and GCP.

What We Know So Far About The Campaign

As reported by The Hacker News, the attacks are a continuation of an intrusion set that had attacked Jupyter Notebooks in December 2022, specifically targeting public-facing Docker machines to deploy a worm-like propagation module.

Between June 15, 2023, and July 11, 2023, up to eight incremental versions of the credential harvesting script were found, which is evidence of an ongoing effort.

AWS, Azure, Google Cloud Platform, Censys, Docker, Filezilla, Git, Grafana, Kubernetes, Linux, Ngrok, PostgreSQL, Redis, S3QL, and SMB are among the platforms from which the malware’s more recent versions are intended to collect credentials. The threat actors next exfiltrate the obtained credentials to a remote server under their control.

Security researchers also mentioned that the credentials collection logic and the files targeted bears similarities to another campaign undertaken by TeamTNT in September 2022.

Security researchers Alex Delamotte, Ian Ahl, and David Bohannon said that this campaign demonstrates the evolution of a seasoned cloud actor with familiarity across many technologies. They also remarked that TeamTNT is actively tuning and improving its tools, and based on the modifications observed across the past weeks, the threat actor is likely preparing for larger-scale campaigns.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE