Cryptomining now stealing aws credentials

cryptomining now stealing aws credentials

TeamTNT, a crypto mining malware has become the first to incorporate a feature that scans and steal AWS credentials.

Security researchers have discovered what appears to be the first crypto-mining malware operation that contains functionality to steal AWS credentials from infected servers.

This new data-stealing feature was spotted in the malware used by TeamTNT, a cybercrime group that targets Docker installs.

The group has been active since at least April, according to research published earlier this year by security firm Trend Micro.

Per the report, TeamTNT operates by scanning the internet for Docker systems that have been misconfigured and have left their management API exposed on the internet without a password.

The group would access the API and deploy servers inside the Docker install that would run DDoS and crypto-mining malware.

The whole process is explained here.

Kubernetes, the popular container orchestration system, is again involved in the new worm attack, publicized Aug. 17 by Cado Security.

“Over the weekend we’ve seen a crypto-mining worm spread that steals AWS credentials. It’s the first worm we’ve seen that contains such AWS specific functionality.

The worm also steals local credentials, and scans the internet for misconfigured Docker platforms. We have seen the attackers, who call themselves ‘TeamTNT’, compromise a number of Docker and Kubernetes systems,” Cado said.

The attack indicates a trend of the bad guys preying on organizations that are increasingly moving computing resources to cloud container environments, the firm said.


Security researchers have discovered cryptocurrency mining malware capable of stealing AWS credentials from infected servers. The malware was observed being used by TeamTNT, a cybercrime group that targets Docker installations.

According to researchers, TeamTNT has been active since April. TeamTNT scans the internet for misconfigured Docker systems that have their management API exposed without a password.

After gaining access to the API, they deploy servers inside the Docker installation that would run Distributed Denial-of-Service (DDoS) and cryptocurrency mining malware. The researchers have now discovered that the cybercrime group is now targeting Kubernetes installations as well.

Sometimes the threat is more evolved, as seen in July, when a fresh Linux backdoor called Doki was seen infesting Docker servers to sett the scene for any number of malware-based attacks, from denial-of-service/sabotage to information exfiltration to ransomware.

However, the focus on AWS in this latest set of campaigns – which were also flagged by MalwareHunterTeam – is unique, Cado researchers said.

Attacking AWS

The attack starts with targeting the way that AWS stores credentials in an unencrypted file at ~/.aws/credentials, and additional configuration details in a file at ~/.aws/config.

“The code to steal AWS credentials is relatively straightforward – on execution it uploads the default AWS credentials and config files to the attackers’ server, sayhi.bplace[.]net,” researchers explained.


Curl is used to send the AWS credentials to TeamTNT’s server.”

Interestingly, though the script is written to be a worm, the automated portion of the attack didn’t seem to be in full operation during the security firm’s analysis.

“We sent credentials created by CanaryTokens.org to TeamTNT, however have not seen them in use yet,” according to the post. “This indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn’t currently functioning.”

The script that anchors TeamTNT’s worm is repurposed code from the aforementioned Kinsing malware, researchers said, which was originally used to scan for misconfigured Docker APIs, then spin up Docker images and install itself.

Marie Huillet 1 hour ago Researchers Detect Crypto-Mining Worm to Steal AWS Credentials

Cybersecurity researchers now expect future cryptojackers to mimic this worm’s ability to hack Amazon Web Services credentials.

3613Total viewsListen to article 0:00 News

Cybersecurity researchers have detected what they believe to be the first ever stealth crypto mining campaign to steal Amazon Web Services (AWS) credentials.

The mining campaign was described as being relatively unsophisticated by Cado Security in their report on Aug. 17. In total, it seems so far to have only resulted in the attackers — who operate under the name TeamTNT — pocketing a paltry $300 in illicit profits.

What struck the researchers’ attention was the crypto-mining worm’s specific functionality for stealing AWS credentials.

They added that copying code from other tools is common in this area of cybercrime.

“In turn, it is likely we will see other worms start to copy the ability to steal AWS credentials files too,” they said. “Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying cryptojacking worms are successful at infecting large amounts of business systems.”

TeamTNT – It’s Dynamite

As far as attribution, TeamTNT announces itself in numerous references within the worm’s code, according to researchers, plus the group uses a domain called teamtnt[.]red. That domain hosts malware, and the homepage is entitled “TeamTNT RedTeamPentesting.”

TeamTNT has been prolific, and was spotted originally earlier in the year.

Also, review network traffic for any connections to mining pools or those sending the AWS credentials file over HTTP; and, use firewall rules to limit any access to Docker APIs.

It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentaryThreatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint.

Challenge

The Internet of Things is creating serious new security risks. We examine the possibilities and the dangers.

Read now

Security researchers have discovered what appears to be the first crypto-mining malware operation that contains functionality to steal AWS credentials from infected servers.

This new data-stealing feature was spotted in the malware used by TeamTNT, a cybercrime group that targets Docker installs.

The group has been active since at least April, according to research published earlier this year by security firm Trend Micro.

Per the report, TeamTNT operates by scanning the internet for Docker systems that have been misconfigured and have left their management API exposed on the internet without a password.

The group would access the API and deploy servers inside the Docker install that would run DDoS and crypto-mining malware.

Attackers install a number of other malicious tools, as well, including a SSH post-exploitation script called punk.py, a log cleaning tool, the Diamorphine rootkit, and the Tsunami IRC backdoor.

These kinds of cryptojacking attacks are particularly expensive for organizations, as attackers are taking advantage of their infrastructure’s processing resources to mine for cryptocurrencies.

Researchers sent credentials created by CanaryTokens.org to the command-and-control server, but said they have not yet seen those credentials in use. Many of stolen credentials appear to not have been used, as of Aug 17, but that doesn’t mean they will never be used.

Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying cryptojacking worms are successful at infecting large amounts of business systems,” Cado Security said.

Crypto-mining campaigns frequently borrow techniques and code from each other. In this case, TeamTNT copied code from another worm called Kinsing.

Cado Security said other worms could start stealing AWS credentials, as well.

“It is likely we will see other worms start to copy the ability to steal AWS Credentials files too,” Cado Security said.

While there have been a number of malware campaigns targeting Docker and Kubernetes systems, and attacks looking for hard-coded or forgotten credentials, this AWS-specific functionality is new, said Cado Security. Firewall rules can limit access to Docker APIs, and it is safer to whitelist systems that should be allowed access.

TeamTNT, which itself borrowed from a previous worm.

In addition to crypto mining and credential theft, the worm installs malware and “offensive security tools.” As far as the crypto mining attack’s main goal, Cado said it has discovered only about a $300 gain, but cautioned that this worm was only one of many campaigns orchestrated by TeamTNT.

The post linked above provides exhaustive details about the attack, how it was discovered and more.

“Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying crypto-jacking worms are successful at infecting large amounts of business systems,” said Cado, which offered the following tips for organizations to protect themselves:

  • Identify which systems are storing AWS credential files and delete them if they aren’t needed.

Leave a Reply

Your email address will not be published.