Rising Threat from TeamTNT in New Cloud Attack Campaign
The notorious hacking group TeamTNT has resumed activity with a new cloud attack campaign aimed at cloud-native systems. The group is not only targeting vulnerable environments to mine cryptocurrencies but also selling access to compromised servers. According to a report by Assaf Morag, director of threat intelligence at Aqua Security, TeamTNT’s latest attack leverages exposed Docker daemons, spreading Sliver malware—a cyber worm—alongside crypto mining software. The group relies on Docker Hub to distribute its malware, using the compromised servers as infrastructure for expanding its reach.
Morag emphasized TeamTNT’s resilience in evolving its tactics, making it a persistent threat to cloud environments. By exploiting Docker’s ecosystem, the group is recruiting Docker environments into a larger Docker Swarm for crypto mining, demonstrating sophisticated multi-stage attacks.
Diversified Monetization Tactics and New Attack Methods
Beyond crypto mining, TeamTNT’s campaign broadens its monetization by allowing third parties to rent access to compromised computational resources. Initial warnings surfaced earlier this month when Datadog observed malicious activities attempting to recruit Docker instances, suggesting TeamTNT’s involvement, though without official attribution at the time. Morag disclosed that Datadog’s early findings disrupted the campaign’s initial stages, prompting TeamTNT to adjust its tactics.
The attack focuses on identifying and exploiting unauthenticated Docker API endpoints using tools like mass can and ZGrab. After locating vulnerable endpoints, TeamTNT deploys crypto miners and rents out these infrastructures via a platform called Mining Rig Rentals, outsourcing management responsibilities to third parties. Aqua Security noted that this evolution indicates a maturing business model within the illicit mining ecosystem.
New Techniques and Additional Security Concerns about New Cloud Attack Campaign
Aqua Security reported a notable shift in TeamTNT’s methodology, including the replacement of their previous Tsunami backdoor with the open-source Sliver command-and-control (C2) framework for remotely managing infected servers. Anondns, an anonymous DNS service, is also in use to direct traffic to their web servers while maintaining privacy, further obscuring their activities. TeamTNT’s naming conventions such as Chimaera, TDGG, and bioset persist, reinforcing that this is a classic campaign from the group.
In a parallel discovery, cybersecurity firm Trend Micro reported a related campaign targeting an unnamed customer, delivering the Prometei botnet, which spreads through Remote Desktop Protocol (RDP) and Server Message Block (SMB) vulnerabilities. This botnet establishes a persistent presence, allowing further network penetration through credential dumping and lateral movement, ultimately connecting compromised machines to crypto mining pools to mine Monero without the user’s knowledge.
These incidents underscore the continued sophistication and threat posed by TeamTNT and similar hacking groups, pushing security teams to remain vigilant against evolving cloud-based threats.
