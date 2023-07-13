TeamTNT, a threat group known for compromising cloud environments and containers, appears to have returned with a newly developed attack toolkit and botnet that has worming capabilities and targets multiple cloud technologies. Researchers found components designed to scan for vulnerable or insecure Kubernetes clusters, Docker APIs, Weave Scope instances, JupyterLab and Jupyter Notebook deployments, Redis servers, and Hadoop clusters.\n\nResearchers from Aqua Security also found evidence the group was testing for various vulnerabilities and misconfigurations in services and applications such as Tomcat, Nginx, PostgreSQL and SSH.\n\n"Based on our research, we have discerned that this botnet perpetually scans the entirety of the internet," the Aqua researchers said in a new report. "Consequently, every IP address undergoes a scan at least once every hour. We discovered that the rate of infection is fairly rapid, with a minimum of two new victims emerging every hour."\n\nThe Silentbob cloud worm and TeamTNT\n\nTeamTNT was a fairly high-profile cybercrime group known for targeting Docker and Kubernetes environments for the purpose of cryptojacking and other malicious activities. However, the group's activities had stopped for the past two years with no clear indication as to why.\n\nThe new campaign observed by Aqua bears many similarities to TeamTNT's known tactics and techniques, including the use of similarly named scripts, the deployment of a malware program called Tsunami, and even the reuse of certain code snippets and code functions observed in past TeamTNT attacks.\n\n"Given the specific tactics, techniques, and procedures (TTPs) observed, we firmly believe that the infrastructure for this operation was established by none other than the cybercriminal group known as TeamTNT," the Aqua researchers said. "Alternatively, it could be an advanced copycat who not only emulates their code, but also mirrors their degree of sophistication, affinity for the Dutch language, and distinct sense of humor."\n\nThe Aqua investigation into this recent campaign began when one of its honeypot servers got hit and the attackers downloaded and deployed a malicious Docker container image hosted on Docker Hub. This led the researchers down a complex attack chain that involved the use of multiple container images that make up a worm-like botnet they dubbed Silentbob. While this botnet primarily targets Docker and Jupyter instances, an investigation of the attackers' command-and-control (C2) server revealed more tools and scripts designed to compromise and enslave additional cloud environments through other technologies.\n\nThe first container image the attackers deployed was called jltest2 and is used to hunt for exposed Jupyter instances. Jupyter is an open-source platform that can be deployed on cloud servers to run computing workloads in multiple programming languages, making it an attractive target for attackers.\n\nThe container image contains a Bash script that executes when the container is started. This script installs the dependencies needed to download, compile, and run an open-source tool called ZGrab. This is an application layer scanner that connects to servers on different IP addresses on different port numbers and records the application banner -- the server response that usually indicates what application is running.\n\nThe script also downloads and installs a port scanner called masscan that claims to be able to scan all the IP addresses on the internet in under five minutes. Masscan is used to scan for IP addresses with port 8888 open then automatically send the results to Zgrab, which grabs the banner and determines if a Jupyter instance is running at the address. The positive results are then saved in a text file and uploaded to the attacker\u2019s C2 server.\n\nThe researchers found three other container images on the same Docker Hub account created by the attackers. One was an earlier version of jltest with a version of ZGrab precompiled instead of downloaded by a script. Another container called sysapp contained Zgrab and a run.sh script, but this time the script was designed to scan for misconfigured Docker daemons running version 1.16.\n\nOnce such a Docker daemon is identified, the script connects to it, gathers information about the environment, then deploys another Alpine Linux container that executes two ELF binaries. The researchers didn't recover these binaries, but they believe they could be variants of Tsunami, a backdoor program used by TeamTNT that uses IRC as a command-and-control channel.\n\nThe script also downloads and executes additional scripts. One was downloaded from a URL that included the path \/xmrig_setup\/, suggesting it was likely used to deploy a version of the XMRig cryptocurrency miner. The second is called aws.sh.txt and is likely used to scan the environment for any AWS credentials and send them to the attackers.\n\nFinally, yet another container image called blob found under the attacker\u2019s account contained the Tsunami malware, masscan and a script that includes a function called dAPIpwn (Docker API pwn). This function configures masscan to scan a specified range of around 16.7 million IP addresses in search of exposed Docker APIs then connects to any APIs found and grabs information about the running containers, which it then sends to the attacker\u2019s C2. As part of this script, the attackers used a dynamic DNS service called anondns with a subdomain called silentbob.\n\nAll the Docker container images had around 100 combined downloads when the Aqua researchers found them and reported them to Docker Hub's maintainers. While their honeypot system was only used to scan for other systems and did not receive further malicious activity or payloads, the researchers relied on Shodan find real JupyterLab instances compromised as part of this campaign and were even able to observe a manual interaction by the attackers on one of them in real time.\n\n"Given that some functions in the code remain unused and the linked attack patterns suggest manual testing, we theorize that the attacker is in the process of optimizing their algorithm," the researchers said. "Therefore, we speculate that this attack is yet to fully launch, and it is likely to attract significant attention once it develops into a full-blown campaign."\n\nSigns of TeamTNT becoming a much bigger threat\n\nSeparately, the researchers were able to gain access to the attackers' C2 server and get a much better picture of the extent of the attack campaign. They also identified a plethora of scripts for targeting different cloud environments and technologies. These include multiple credential stealers, scripts for changing the iptables firewall rules, data discovery tools, malware downloaders, SSH and other types of backdoors, various malware programs including Tsunami, IP scanners, cryptominers, and pen-test tools.\n\n"This botnet is notably aggressive, rapidly proliferating across the cloud and targeting a wide array of services and applications within the software development life cycle (SDLC)," the researchers said. "It operates at an impressive speed, demonstrating remarkable scanning capability. The botnet is designed to communicate with a central C2 server to determine the next range of IP addresses to scan."\n\nThe core of the botnet is the Tsunami malware that TeamTNT has used in past attacks. This botnet client for Linux system hides its running processes and connects to a predefined IRC chat through which attackers can issue commands to all the infected machines. The Aqua researchers access the server used in this latest campaign and observed 196 new compromised machines over a seven-day period or 1.3 new victims every hour.\n\n"Given that this campaign is aggressively scanning the internet for exposed Docker APIs, Jupyter Lab and Notebook instances, Redis servers, SSH connections, and Weave Scope applications, it can rapidly infect new hosts that are exposed even for a brief moment," the researchers warned.\n\nThe tools the attackers deploy search for credentials from databases and storage systems such as Postgres, AWS S3, Filezilla, and SQLite, configuration files for Kubernetes clusters, Google Cloud Platform, Azure, and AWS as well as related cloud services such as EC2, Glue, Lambdas, and Lightsail. While past TeamTNT attacks targeted primarily Docker containers, it's clear that the attackers have now significantly expanded the scope of their operations and can now target development, staging, and production environments as well as CI\/CD pipelines, build processes and even GitHub accounts.