Bitcoin Forum
September 01, 2024, 11:24:57 AM *
News: Latest Bitcoin Core release: 27.1 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Other > Beginners & Help > Team TNT: The first crypto-mining worm that steals AWS Credentials
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Team TNT: The first crypto-mining worm that steals AWS Credentials  (Read 115 times)
cryptomaniac_xxx (OP)
Hero Member
*****
Offline Offline

Activity: 1610
Merit: 601


View Profile
August 18, 2020, 08:10:03 AM
Last edit: January 29, 2021, 05:50:30 AM by cryptomaniac_xxx
 #1
It looks like we have a new crypto mining worm that evolves and now are also crypto jacking our AWS credentials. According to this report from CadoSecurity,

Quote

Over the weekend we’ve seen a crypto-mining worm spread that steals AWS credentials. It’s the first worm we’ve seen that contains such AWS specific functionality. The worm also steals local credentials, and scans the internet for misconfigured Docker platforms. We have seen the attackers, who call themselves “TeamTNT”, compromise a number of Docker and Kubernetes systems.

These attacks are indicative of a wider trend. As organisations migrate their computing resources to cloud and container environments, we are seeing attackers following them there.


message when you see when it was first run

Below are some suggestions to help protect them:

Quote
- Identify which systems are storing AWS credential files and delete them if they aren’t needed. It’s  common to find development credentials have accidentally been left on production systems.
- Use firewall rules to limit any access to Docker APIs. We strongly recommend using a whitelisted approach for your firewall ruleset.
- Review network traffic for any connections to mining pools, or using the Stratum mining protocol.
- Review any connections sending the AWS Credentials file over HTTP.

https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/
cryptomaniac_xxx (OP)
Hero Member
*****
Offline Offline

Activity: 1610
Merit: 601


View Profile
January 29, 2021, 05:54:57 AM
 #2
Now Team TNT has upgraded their malware to evade detection.

Quote
TeamTNT is mostly known for targeting and compromising Internet-exposed Docker instances for unauthorized Monero (XMR) mining.

However, the group has also shifted tactics by updating its Linux cryptojacking malware named Black-T to also harvest user credentials from infected servers.

TeamTNT now further upgraded their malware to evade detection after infecting and deploying malicious coinminer payloads on Linux devices.

However, cyber threat investigators have unraveled how they do it:

Quote
"The group is using a new detection evasion tool, copied from open source repositories," AT&T Alien Labs security researcher Ofer Caspi says in a report published today.

This tool is known as libprocesshider and is an open-source tool available on Github that can be used to hide any Linux process with the help of the ld preloader.

"The objective of the new tool is to hide the malicious process from process information programs such as `ps` and `lsof`, effectively acting as a defense evasion technique," Caspi added.

The detection evasion tool is deployed on infected systems as a base64 encoded bash script embedded within the TeamTNT ircbot or cryptominer binary.

https://www.bleepingcomputer.com/news/security/linux-malware-uses-open-source-tool-to-evade-detection/
Pages: [1]
  Print  
Bitcoin Forum > Other > Beginners & Help > Team TNT: The first crypto-mining worm that steals AWS Credentials
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!