TeamTNT Upgrades Arsenal, Refines Focus on Kubernetes and GPU Environments

Trend Micro -

TeamTNT Upgrades Arsenal Refines Focus on Kubernetes and GPU Environments

Using a new batch of campaign samples, we take a look at its more recent cybercrime contributions and compare them with its previous deployments to demonstrate the group’s use of upgraded tools and payloads.

By: David Fiser, Alfredo Oliveira November 11, 2021 Read time:  ( words)

In previous entries, we described how the hacking group TeamTNT targeted unsecured Redis instancesexposed Docker APIs, and vulnerable Kubernetes clusters in order to deploy cryptocurrency-mining payloads and credential stealers. TeamTNT was one of the first cybercriminal groups to focus on cloud service providers (CSPs), specifically the metadata stored on elastic computing instances being run on cloud services. It is mainly engaged in the theft of environmental metadata used by CSPs. Because instance metadata and user data can’t be authenticated or encrypted, it’s important for users to avoid storing sensitive data in metadata fields, including secrets and CSP-related preauthorization data which can then be used in other services such as serverless deployments.

If a running instance used by a CSP customer is not properly configured or has a security weakness such as exposed APIs or leaked credentials, malicious actors who

Read More: