TeamTNT, a threat group known for compromising cloud environments and containers, appears to have returned with a newly developed attack toolkit and botnet that has worming capabilities and targets multiple cloud technologies. Researchers found components designed to scan for vulnerable or insecure Kubernetes clusters, Docker APIs, Weave Scope instances, JupyterLab and Jupyter Notebook deployments, Redis servers, and Hadoop clusters.

Researchers from Aqua Security also found evidence the group was testing for various vulnerabilities and misconfigurations in services and applications such as Tomcat, Nginx, PostgreSQL and SSH.

“Based on our research, we have discerned that this botnet perpetually scans the entirety of the internet,” the Aqua researchers said in a new report. “Consequently, every IP address undergoes a scan at least once every hour. We discovered that the rate of infection is fairly rapid, with a minimum of two new victims emerging every hour.”

The Silentbob cloud worm and TeamTNT

TeamTNT was a fairly high-profile cybercrime group known for targeting Docker and Kubernetes environments for the purpose of cryptojacking and other malicious activities. However, the group’s activities had stopped for the past two years with no clear indication as to why.

The new campaign observed by Aqua bears many similarities to TeamTNT’s known tactics and techniques, including the use of similarly named scripts, the deployment of a malware program called Tsunami, and even the reuse of certain code snippets and code functions observed in past TeamTNT attacks.

“Given the specific tactics, techniques, and procedures (TTPs) observed, we firmly believe that the infrastructure for this operation was established by none other than the cybercriminal group known as TeamTNT,” the Aqua researchers said. “Alternatively, it could be an advanced copycat who not only emulates their code, but also mirrors their degree of sophistication, affinity for the Dutch language, and distinct sense of humor.”