Survey shows the tools and techniques used and the impact of the group's malicious activities
Trend Micro Brasil, one of the leading companies in cybersecurity solutions, conducted detailed research on TeamTNT, one of the most persistent groups of malicious hackers, which started a series of campaigns in 2020 and early 2021. Most of these campaigns — although varying the tools, techniques, and purpose—targeted cloud environments.
TeamTNT has been attacking in some form since 2011, but it wasn't until 2020 that the group started to draw attention. In April of last year, it launched a short-lived Covid-19-themed campaign, choosing pandemic-related words for its attack URLs. “A month later, Trend Micro mapped an entry on how TeamTNT was targeting gateways. daemon open Docker, to distribute cryptocurrency mining. The group also sparked another campaign, in late 2020, deploying TNTbotinger, an Internet Relay Chat (IRC) bot with distributed denial-of-service (DDoS) capabilities. This year, it focused even more on the cloud, covering different cloud-based services and software”, comments Rodrigo Garcia, Sales Director at Trend Micro.
Infection routines and payloads:
TeamTNT's infection routines usually follow a pattern, in which the group does reconnaissance using its scanner to choose suitable victims. After narrowing down its targets, it checks for misconfigurations and other security holes that can be exploited, such as:
- Insecure instances of Redis;
- Internet of Things (IoT) device vulnerabilities;
- Exposed Docker APIs;
- Leaked credentials;
- Devices accessible via Secure Shell (SSH).
Upon finding a system with exploitable security flaws, it begins to deliver its payloads, which include:
- Credential theft;
- Cryptocurrency mining;
- IRC bots;
- Local network scanners;
- Reverse/linked shells
Credential theft is often one of the group's goals, if not the main one. TeamTNT uses a series of techniques in its credential capture routines, with its own scripts that contain functions designed to look up credentials for specific services and software. It also implements persistence mechanisms in some of its expeditions, ensuring that the selected user is configured to be accessed via SSH. This is done to create a method of returning to the system after infection. In many cases, attackers deploy their own SSH public keys.
The increasing use of cloud-based services, software and infrastructure has made the cloud an attractive target for groups like TeamTNT. A successful theft of cloud credentials or a cryptocurrency mining routine ends up infecting the entire system and can have far-reaching consequences on an organization – especially in terms of operational disruption and even reputational damage.
“Our job following TeamTNT's activities is to ensure a closer look at a cloud-focused hacker group. We aim to help companies understand how the group carries out its activities and offer insights and recommendations to prevent cyberattacks, concludes Rodrigo Garcia.
See a complete copy of the report, on here.
