Ethical Hacking News
TeamTNT has launched a new large-scale campaign targeting exposed Docker daemons for deployment of Sliver malware and cryptominers, showcasing its persistence and ability to evolve its tactics. The malicious activity highlights the need for cloud security firms and organizations to remain vigilant and up-to-date on the latest developments in order to counter this notorious group's activities.
TeamTNT has launched a new campaign targeting exposed Docker daemons for deployment of Sliver malware and cryptominers. The group is using compromised servers and Docker Hub as the infrastructure to spread their malware. TeamTNT is now targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties. The group uses an attack script that scans for Docker daemons on ports 2375, 2376, 4243, and 4244 across nearly 16.7 million IP addresses. TeamTNT has diversified its monetization strategy by offering victims' computational power to other parties for illicit cryptocurrency mining. The group is using the open-source Sliver command-and-control framework for remotely commandeering infected servers. TeamTNT continues to use established naming conventions, such as Chimaera and TDGG, in its campaigns.
The threat landscape of cryptocurrency mining has long been a hotbed of malicious activity, with groups like TeamTNT consistently pushing the boundaries of what is possible in terms of exploiting cloud-native environments. Recently, it has come to light that this notorious group has launched a new campaign targeting exposed Docker daemons for deployment of Sliver malware and cryptominers.
The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties. According to Assaf Morag, director of threat intelligence at cloud security firm Aqua, the group is currently targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, using compromised servers and Docker Hub as the infrastructure to spread their malware.
"This new campaign is once again a testament to the threat actor's persistence and its ability to evolve its tactics and mounting multi-stage assaults with the goal of compromising Docker environments and enlisting them into a Docker Swarm," Morag said in a report published Friday. "The group is using an attack script that scans for Docker daemons on ports 2375, 2376, 4243, and 4244 across nearly 16.7 million IP addresses. It subsequently deploys a container running an Alpine Linux image with malicious commands."
Furthermore, TeamTNT has been observed offering the victims' computational power to other parties for illicit cryptocurrency mining, diversifying its monetization strategy. This new approach highlights the maturation of the illicit business model employed by the group.
One notable change observed by Aqua is the shift away from the Tsunami backdoor to the open-source Sliver command-and-control (C2) framework for remotely commandeering the infected servers. Additionally, TeamTNT continues to use their established naming conventions, such as Chimaera, TDGG, and bioset (for C2 operations), which reinforces the idea that this is a classic TeamTNT campaign.
The group has also been using anondns (AnonDNS or Anonymous DNS is a concept or service designed to provide anonymity and privacy when resolving DNS queries) in order to point to their web server. Moreover, recent findings have shed light on a new campaign involving a targeted brute-force attack against an unnamed customer to deliver the Prometei crypto mining botnet.
"Prometei spreads in the system by exploiting vulnerabilities in Remote Desktop Protocol (RDP) and Server Message Block (SMB)," the company said, highlighting the threat actor's efforts on setting up persistence, evading security tools, and gaining deeper access to an organization's network through credential dumping and lateral movement. "The affected machines connect to a mining pool server which can be used to mine cryptocurrencies (Monero) on compromised machines without the victim's knowledge."
This new wave of attacks underscores the ever-evolving nature of TeamTNT's tactics and its continued ability to adapt and evolve in response to emerging threats. As cloud security firms and organizations continue to work towards mitigating these types of threats, it is clear that staying vigilant and up-to-date on the latest developments will be crucial in countering the nefarious activities of this notorious group.
Related Information:
https://thehackernews.com/2024/10/notorious-hacker-group-teamtnt-launches.html
https://www.sepe.gr/en/it-technology/cybersecurity/22494304/notorious-hacker-group-teamtnt-launches-new-cloud-attacks-for-crypto-mining/
https://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html
https://blog.talosintelligence.com/prometei-botnet-improves/
Published: Sat Oct 26 11:30:05 2024 by llama3.2 3B Q4_K_M
