Overview of TIR-20210124
This report is about the recent additions to the TeamTNT malware campaign to infect and spread through cloud environments. The malware has been updated to capture AWS IAM user details more effectively. Vulnerable cloud environments are discovered through scanning the Internet for specific open API ports.
Tactics, Techniques, and Procedures of TeamTNT Malware Campaign
Once an accessible target has been designated via Internet scanning the bad actor installs a shell script built to pull specific data needed to start the infection. The shell script looks for AWS IAM credentials and the necessary keys to setup the malware in the environment. There’s also functionality designed to target Google Cloud Platform environments built into the staging script. If the script is successful in acquiring the required information, it starts breakout of the Docker instance by exploiting a well-known vulnerability CVE-2019-5736. Exploiting CVE-2019-5736 successfully allows for the opportunity to setup cryptocurrency miner on the affected system.
CVE-2019-5736 is a vulnerability that allows the attacker to overwrite the host runc binary providing root access to the host system. The attacker can then execute a command as root inside a container to either load a new container with an attacker-controlled image or use the current container to be attached with docker exec. This root cause is the mishandling of the file-descriptor known as /proc/self/exe.
The bad actor uses a variety of tools to maintain control over the affected cloud environment. The first tool is called Tmate which is a simple application for sharing terminals providing a method for maintaining access to the environment. The next tool is called Break Out The Box (BOTB) which is a well-known penetration testing tool for testing cloud environments. The final tool worth noting is called Peirates which is a penetration testing tool designed to attack Kubernetes environments.
Business Unit Impact
- May result in the loss of control over critical cloud assets.
- Could lead to heavy resource usage as various miners execute in the environment.
- Could provide privileged access to sensitive data on potentially multiple containers.
- May allow for the compromise of mission-critical cloud assets hosting sensitive data.
- It is highly encouraged that you block external access to the Docker API ports (2376/tcp and 2375/tcp)
- Consider monitoring the environment for any odd outbound http requests containing sensitive AWS data.
- You may want to limit the capabilities of specific IAM roles in the environment to reduce risk.
- Implement the patch for CVE-2019-5736
Resources for TeamTNT Malware Campaign TIR-20210124
Related Threat Reports: https://www.avertium.com/teamtnt-attacks-cloud-environments/
- CVE-2019-5736 Patch: https://github.com/Azure/AKS/releases/tag/2019-02-12
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.