A malicious actor has been linked to a cloud credential stealing campaign in June 2023 that’s focused on Azure and Google Cloud Platform (GCP) services, marking the adversary’s expansion in targeting beyond Amazon Web Services (AWS).
The findings come from SentinelOne and Permiso, which said the “campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew,” although it emphasized that “attribution remains challenging with script-based tools.”
They also overlap with an ongoing TeamTNT campaign disclosed by Aqua called Silentbob that leverages misconfigured cloud services to drop malware as part of what’s said to be a testing effort, while also linking SCARLETEEL attacks to the threat actor, citing infrastructure commonalities.
“TeamTNT is scanning for credentials across multiple cloud environments, including AWS, Azure, and GCP,” Aqua noted.
The attacks, which single out public-facing Docker instances to deploy a worm-like propagation module, are a continuation of an intrusion set that previously targeted Jupyter Notebooks in December 2022.
As many as eight incremental versions of the credential harvesting script have been discovered between June 15, 2023, and July 11, 2023, indicating an actively evolving campaign.
The newer versions of the malware are designed to gather credentials from AWS, Azure, Google Cloud Platform, Censys, Docker, Filezilla, Git, Grafana, Kubernetes, Linux, Ngrok, PostgreSQL, Redis, S3QL, and SMB. The harvested credentials are then exfiltrated to a remote server under the threat actor’s control.
Shield Against Insider Threats: Master SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
SentinelOne said the credentials collection logic and the files targeted bears similarities to a Kubelet-targeting campaign undertaken by TeamTNT in September 2022.
Alongside the shell script malware, the threat actor has also been observed distributing a Golang-based ELF binary that acts as a scanner to propagate the malware to vulnerable targets. The binary further drops a Golang network scanning utility called Zgrab.
“This campaign demonstrates the evolution of a seasoned cloud actor with familiarity across many technologies,” security researchers Alex Delamotte, Ian Ahl, and Daniel Bohannon said. “The meticulous attention to detail indicates the actor has clearly experienced plenty of trial and error.”
“This actor is actively tuning and improving their tools. Based on the tweaks observed across the past several weeks, the actor is likely preparing for larger scale campaigns.”