Trend Micro -
Using a new batch of campaign samples, we take a look at its more recent cybercrime contributions and compare them with its previous deployments to demonstrate the group’s use of upgraded tools and payloads.
In previous entries, we described how the hacking group TeamTNT targeted unsecured Redis instances, exposed Docker APIs, and vulnerable Kubernetes clusters in order to deploy cryptocurrency-mining payloads and credential stealers. TeamTNT was one of the first cybercriminal groups to focus on cloud service providers (CSPs), specifically the metadata stored on elastic computing instances being run on cloud services. It is mainly engaged in the theft of environmental metadata used by CSPs. Because instance metadata and user data can’t be authenticated or encrypted, it’s important for users to avoid storing sensitive data in metadata fields, including secrets and CSP-related preauthorization data which can then be used in other services such as serverless deployments.
If a running instance used by a CSP customer is not properly configured or has a security weakness such as exposed APIs or leaked credentials, malicious actors who