TeamTNT Upgrades Arsenal, Refines Focus on Kubernetes and GPU Environments

In previous entries, we described how the hacking group TeamTNT targeted unsecured Redis instances, exposed Docker APIs, and vulnerable Kubernetes clusters in order to deploy cryptocurrency-mining payloads and credential stealers. TeamTNT was one of the first cybercriminal groups to focus on cloud service providers (CSPs), specifically the metadata stored on elastic computing instances being run on cloud services. It mainly engaged in the theft of environmental metadata used by CSPs, which includes secrets and CSP-related preauthorization data and can then be used in other services such as serverless deployments.

If a running instance is not properly configured or has a security weakness such as exposed APIs or leaked credentials, malicious actors who are able to abuse these security flaws might be able to use other services as well. Therefore, it's important for organizations to safeguard critical authentication credentials, or secrets, to ensure that they are out of cybercriminals' reach.

Today, TeamTNT remains to actively exploit cloud environments in its campaigns. Using a new batch of campaign samples, we take a look at its more recent cybercrime contributions and compare them with its previous deployments to demonstrate the group's use of upgraded tools and payloads.

TeamTNT's upgraded arsenal

What stands out from our analysis is that the samples obtained from TeamTNT's recent campaigns look more professionally developed than previous versions. The samples, which cover more corner cases and include bug fixes, show marked improvements in how the hacking group targets exposed Amazon Web Services (AWS) or Kubernetes services.

Rather than incorporating all-in-one samples with multiple functionalities, TeamTNT's attacks have become more modular. The samples have a defined scope and feature well-defined functions, showing how the group has evolved to apply a more targeted approach to its campaigns.