This report is about the recent additions to the TeamTNT malware campaign to infect and spread through cloud environments. The malware has been updated to capture AWS IAM user details more effectively. Vulnerable cloud environments are discovered through scanning the Internet for specific open API ports.
Once an accessible target has been designated via Internet scanning the bad actor installs a shell script built to pull specific data needed to start the infection. The shell script looks for AWS IAM credentials and the necessary keys to set up the malware in the environment. There’s also functionality designed to target Google Cloud Platform environments built into the staging script. If the script is successful in acquiring the required information, it starts the breakout of the Docker instance by exploiting a well-known vulnerability CVE-2019-5736. Exploiting CVE-2019-5736 successfully allows for the opportunity to set up cryptocurrency miners on the affected system.
CVE-2019-5736 is a vulnerability that allows the attacker to overwrite the host runs binary providing root access to the host system. The attacker can then execute a command as root inside a container to either load a new container with an attacker-controlled image or use the current container to be attached with docker exec. This root cause is the mishandling of the file-descriptor known as /proc/self/exe.
The bad actor uses a variety of tools to maintain control over the affected cloud environment. The first tool is called Tmate which is a simple application for sharing terminals providing a method for maintaining access to the environment. The next tool is called Break Out The Box (BOTB) which is a well-known penetration testing tool for testing cloud environments. The final tool worth noting is called Peirates which is a penetration testing tool designed to attack Kubernetes environments.
Related Threat Reports: https://www.avertium.com/teamtnt-attacks-cloud-environments/
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.