cryptomining is stealing aws credentials

A vast attack surface is available at the cybercriminals disposal and the frequent attacks on cloud and container environments are evident of the very fact. Researchers recently have found a first-ever crypto-mining worm dubbed ‘TeamTNT’ containing Amazon Web Services (AWS) specific functionality.

In Mid-August, Team TNT updated its mode of operations which they have been following since April 2020 when it was first discovered.

  • A new data-stealing feature was added by Team TNT that enables the attackers to scan and steal AWS credentials. No other botnet is capable of scanning and stealing AWS credentials, making Team TNT the first botnet of its kind.
  • It also steals local credentials and scans the internet for misconfigured Docker systems.
  • To date, the attackers have compromised many Jenkins build servers, Docker and Kubernetes systems along with Kubernetes clusters.

TeamTNT uses the XMRig miner to mine Monero cryptocurrency besides acting as a botnet and a worm.


  • Several openly available malware can also be deployed by the worm and offensive security tools including punk.py, Diamorphine Rootkit, Tsunami IRC backdoor, and a log cleaning tool.
  • Two different Monero wallets associated with these latest attacks have earned TeamTNT about 3 XMR (approx $300).

as malware authors copy and paste their competitors’ code, researchers believe TeamTNT’s malware suite is an amalgamation of another worm named Kinsing. The Kinsing worm was designed to bypass Alibaba Cloud security tools. The Kinsing malware was used in early April 2020, in a bitcoin-mining campaign to scan for misconfigured Docker APIs, then spin up Docker images and install itself.

The latest set of campaigns has been flagged as a unique development by researchers. It is highly probable that other worms will start to copy the ability to steal AWS credentials. According to our security experts, in order to derail such attacks, organizations should consider reviewing their security configurations to protect AWS deployments from getting hijacked. Monitoring network traffic and using firewall rules to limit any access to Docker APIs is also recommended.

To read more, please check eScan Blog

Similar Posts:

Leave a comment