News

'TeamTNT' Cryptominers Are Swiping AWS Credentials

• By David Ramel
• 08/18/2020

Security researchers are warning of a cryptomining exploit that steals credentials stored on Amazon Web Services (AWS) to compromise cloud containers.

Cryptomining (also known as cryptocurrency mining or bitcoin mining) is a way to generate digital currency wealth by leveraging powerful computing power. While not illegal, it requires tremendous computing effort for usually minimal gains. It is, of course, illegal to hijack other organizations' computing power for the mining. The whole process is explained here.

Recently, hackers turned Kubernetes machine learning to cryptomining on Microsoft's Azure cloud. Kubernetes is again involved in the new worm attack, publicized this week by Cado Security.

"Over the weekend we've seen a crypto-mining worm spread that steals AWS credentials. It's the first worm we've seen that contains such AWS specific functionality," Cado said in a blog post Monday. "The worm also steals local credentials, and scans the internet for misconfigured Docker platforms. We have seen the attackers, who call themselves 'TeamTNT', compromise a number of Docker and Kubernetes systems."

The attack indicates a trend of hackers preying on organizations that are increasingly moving computing resources to cloud container environments, the firm said. That trend will likely see more attackers duplicate the credential-stealing capability used by TeamTNT, which itself borrowed from a previous worm.

In addition to cryptomining and credential theft, the worm installs malware and "offensive security tools." As far as the cryptomining attack's main goal, Cado said it has discovered only about a $300 gain, but cautioned that this worm was only one of many campaigns orchestrated by TeamTNT.

The Cado post provides exhaustive details about the attack, how it was discovered and more.

"Whilst these attacks aren't particularly sophisticated, the numerous groups out there deploying crypto-jacking worms are successful at infecting large amounts of business systems," said Cado, which offered the following tips for organizations to protect themselves:

• Identify which systems are storing AWS credential files and delete them if they aren't needed. It's common to find development credentials have accidentally been left on production systems.
• Use firewall rules to limit any access to Docker APIs. We strongly recommend using a whitelisted approach for your firewall ruleset.
• Review network traffic for any connections to mining pools, or using the Stratum mining protocol.
• Review any connections sending the AWS Credentials file over HTTP.

Cado credited other security research efforts fighting the cryptominers, including Trend Micro, Malware Hunter Team and r3dbU7z.