cryptomining now stealing aws credentials

They said they sent a collection of canary credentials to the TeamTNT C&C server, but none of those accounts have been accessed prior to Aug. 17, when they published their research.

Nevertheless, when the attackers decide to do so, TeamTNT stands to seriously boost its profits, either by installing crypto-mining malware in more powerful AWS EC2 clusters directly or by selling the stolen credentials on the black market.

Right now, Cado has only a limited view into TeamTNT’s operation, as the security firm has been able to track only a few of the Monero wallet addresses that the group uses to collect mined funds.

Once on the infected system, the bot can look for exposed user credentials on the underlying AWS infrastructure. In this case, it is looking for ~/.aws/credentials and ~/.aws/config directories where AWS Command Line Interface (CLI) typically stores unencrypted files containing credentials and configuration details.


Once found, the files are copied and uploaded to the attacker’s command-and-control server using curl.

“The code to steal AWS credentials is relatively straightforward – on execution it uploads the default AWS credentials and config files to the attackers’ server,” Cado Security said.

Once the infrastructure has been compromised, the bot sets up its own containers to mine Monero cryptocurrency and to scan for additional Docker and Kubernetes servers.

They said they sent a collection of canary credentials to the TeamTNT C&C server, but none of those accounts have been accessed prior to Aug. 17, when they published their research.

Nevertheless, when the attackers decide to do so, TeamTNT stands to seriously boost its profits, either by installing crypto-mining malware in more powerful AWS EC2 clusters directly or by selling the stolen credentials on the black market.

Right now, Cado has only a limited view into TeamTNT’s operation, as the security firm has been able to track only a few of the Monero wallet addresses that the group uses to collect mined funds.

TeamTNT has now also expanded its attacks to target Kubernetes installations.

TeamTNT now steals AWS credentials

But while expanding its targets base is generally pretty important, Cado researchers said there’s even a bigger update — namely a new feature that scans the underlying infected servers for any Amazon Web Services (AWS) credentials.

If the infected Docker and Kubernetes systems run on top of AWS infrastructure, the TeamTNT gang scans for ~/.aws/credentials and ~/.aws/config, and copies and uploads both files onto its command-and-control server.

Both of these files are unencrypted and contain plaintext credentials and configuration details for the underlying AWS account and infrastructure.

Cado researchers believe the attacker has not yet moved to use any of the stolen credentials.

We have seen the attackers…compromise a number of Docker and Kubernetes systems.”

As more businesses embrace cloud and container environments, it has opened up a new attack surface for cybercriminals via misconfiguration. That said, cryptomining threats taking aim at Docker and Kubernetes aren’t new.

Attackers continue to scan for publicly accessible, open Docker/Kubernetes servers in an automated fashion, and then exploit them in order to set up their own containers and execute malware on the victim’s infrastructure.

Usually that malware is a cryptominer of some kind, as seen in April in a Bitcoin-mining campaign using the Kinsing malware.

A cryptomining worm from the group known as TeamTNT is spreading through the Amazon Web Services (AWS) cloud and collecting credentials. Once the logins are harvested, the malware logs in and deploys the XMRig mining tool to mine Monero cryptocurrency.

According to researchers at Cado Security, the worm also deploys a number of openly available malware and offensive security tools, including “punk.py,” a SSH post-exploitation tool; a log cleaning tool; the Diamorphine rootkit; and the Tsunami IRC backdoor.

It is, they said, the first threat observed in the wild that specifically targets AWS for cryptojacking purposes.
However, it also carries out more familiar fare.

“The worm also steals local credentials, and scans the internet for misconfigured Docker platforms,” according to a Monday posting.

News

Crypto-Mining Worm Steals AWS Creds: ‘/thx/for/your/key’

  • By David Ramel
  • 08/18/2020

Another cloud crypto-mining exploit has been publicized, this one with the added ability to steal credentials stored on the Amazon Web Services (AWS) cloud computing platform.

Recently we reported on how hackers turned Kubernetes machine learning to crypto mining on Microsoft’s Azure cloud. Crypto mining (or cryptocurrency mining or bitcoin mining) is a way to generate digital currency wealth by leveraging powerful computing power.
While it’s not illegal by itself, it requires tremendous computing effort for usually minimal gains. It is, of course, illegal to hijack other organizations’ computing power for the mining.

A crypto-mining botnet is stealing Amazon Web Services credentials from infected servers.

The TeamTNT botnet targets misconfigured Docker and Kubernetes systems running on top of AWS servers, and then scans the underlying infected servers for any hard-coded AWS credentials, security firm Cade Security said said. The malware, which installs Monero cryptominers on the infected systems, has been actively targeting Docker installations since April, according to Trend Micro.

The research team used MoneroOcean, one of the mining pools used by the attackers, to compile a list of 119 compromised systems across AWS, Kubernetes clusters, and Jenkins build servers.

“It is likely we will see other worms start to copy the ability to steal AWS Credentials files too.”

The botnet scans for open and accessible Docker and Kubernetes systems, and infects them with malware.

In April, Trend Micro observed the group attacking Docker containers.

An examination by Cado of one of the mining pools yielding information about the systems that the AWS-capable worm has compromised showed that for the one pool, there were 119 compromised systems, across AWS, Kubernetes clusters and Jenkins build servers.

“So far we have seen two different Monero wallets associated with these latest attacks, which have earned TeamTNT about three XMR,” researchers explained. “That equates to only about $300, however this is only one of their many campaigns.”

Cado researchers suggested that to thwart such attacks, businesses should identify which systems are storing AWS credential files and delete them if they aren’t needed.

TeamTNT has now also expanded its attacks to target Kubernetes installations.

TeamTNT now steals AWS credentials

But while expanding its targets base is generally pretty important, Cado researchers said there’s even a bigger update — namely a new feature that scans the underlying infected servers for any Amazon Web Services (AWS) credentials.

If the infected Docker and Kubernetes systems run on top of AWS infrastructure, the TeamTNT gang scans for ~/.aws/credentials and ~/.aws/config, and copies and uploads both files onto its command-and-control server.

Both of these files are unencrypted and contain plaintext credentials and configuration details for the underlying AWS account and infrastructure.

Cado researchers believe the attacker has not yet moved to use any of the stolen credentials.

Similar Posts:

Leave a comment