Recent additions to TeamTNT Malware Campaign on Cloud Environments

Overview of TIR-20210124

This report is about the recent additions to the TeamTNT malware campaign to infect and spread through cloud environments. The malware has been updated to capture AWS IAM user details more effectively. Vulnerable cloud environments are discovered through scanning the Internet for specific open API ports.

Tactics, Techniques, and Procedures of TeamTNT Malware Campaign

Once an accessible target has been designated via Internet scanning the bad actor installs a shell script built to pull specific data needed to start the infection. The shell script looks for AWS IAM credentials and the necessary keys to set up the malware in the environment. There’s also functionality designed to target Google Cloud Platform environments built into the staging script. If the script is successful in acquiring the required information, it starts the breakout of the Docker instance by exploiting a well-known vulnerability CVE-2019-5736. Exploiting CVE-2019-5736 successfully allows for the opportunity to set up cryptocurrency miners on the affected system. 

CVE-2019-5736 is a vulnerability that allows the attacker to overwrite the host runs binary providing root access to the host system. The attacker can then execute a command as root inside a container to either load a new container with an attacker-controlled image or use the current container to be attached with docker exec. This root cause is the mishandling of the file-descriptor known as /proc/self/exe.

The bad actor uses a variety of tools to maintain control over the affected cloud environment. The first tool is called Tmate which is a simple application for sharing terminals providing a method for maintaining access to the environment. The next tool is called Break Out The Box (BOTB) which is a well-known penetration testing tool for testing cloud environments. The final tool worth noting is called Peirates which is a penetration testing tool designed to attack Kubernetes environments.

Business Unit Impact

• May result in the loss of control over critical cloud assets.
• Could lead to heavy resource usage as various miners execute in the environment.
• Could provide privileged access to sensitive data on potentially multiple containers.
• May allow for the compromise of mission-critical cloud assets hosting sensitive data.

Avertium Recommendations

• It is highly encouraged that you block external access to the Docker API ports (2376/tcp and 2375/tcp)
• Consider monitoring the environment for any odd outbound http requests containing sensitive AWS data.
• You may want to limit the capabilities of specific IAM roles in the environment to reduce risk.
• Implement the patch for CVE-2019-5736

Resources for TeamTNT Malware Campaign TIR-20210124

Source: https://otx.alienvault.com/pulse/6007314fbb9b9daf8afc505c

Related Threat Reports: https://www.avertium.com/teamtnt-attacks-cloud-environments/

Supporting Documentation

• https://www.cadosecurity.com/post/botnet-deploys-cloud-and-container-attack-techniques 
• CVE-2019-5736 Patch: https://github.com/Azure/AKS/releases/tag/2019-02-12 

MITRE Mapping(s):

• https://attack.mitre.org/techniques/T1068/ 
• https://attack.mitre.org/techniques/T1552/005/ 
• https://attack.mitre.org/techniques/T1526/ 
• https://attack.mitre.org/techniques/T1078/004/ 
• https://attack.mitre.org/techniques/T1036/005/ 
• https://attack.mitre.org/techniques/T1016/ 
• https://attack.mitre.org/techniques/T1049/ 
• https://attack.mitre.org/techniques/T1082/ 
• https://attack.mitre.org/techniques/T1530/ 

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.