Cloud Security Threat: TeamTNT Targeting Cloud Environments for Crypto Mining

TeamTNT, the notorious cryptojacking group, is gearing up for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties. Assaf Morag, director of threat intelligence at Aqua, reported that the group is currently targeting exposed Docker daemons to deploy Sliver malware and cryptominers, using compromised servers and Docker Hub as infrastructure to spread their malware.

TeamTNT has been observed not only offering victims’ computational power for illicit cryptocurrency mining but also diversifying its monetization strategy. The attack campaign emerged earlier this month when Datadog disclosed malicious attempts to corral infected Docker instances into a Docker Swarm, hinting at TeamTNT’s involvement.

The attacks involve identifying unauthenticated and exposed Docker API endpoints, deploying cryptominers, and selling compromised infrastructure to others on a mining rental platform called Mining Rig Rentals. The group is also using open-source Sliver command-and-control (C2) framework for remotely commandeering infected servers.

Trend Micro recently highlighted a new campaign involving a targeted brute-force attack against a customer to deliver the Prometei crypto mining botnet. The botnet spreads by exploiting vulnerabilities in Remote Desktop Protocol (RDP) and Server Message Block (SMB) to mine cryptocurrencies like Monero on compromised machines without the victim’s knowledge.

These developments underscore the evolving tactics of threat actors in the cryptocurrency space and the increasing sophistication of their attacks. The cybersecurity community is on high alert as groups like TeamTNT continue to adapt and expand their operations.