TeamTNT. PHOTO: Cybercrime Magazine.

TeamTNT: Cryptocriminals Target Linux Servers, Kubernetes

Experiments also conducted on infiltrating Windows machines by the German speaking group

Charlie Osborne

London – Feb. 25, 2022

The TeamTNT cybercriminal enterprise is actively striking Linux systems and Kubernetes builds in cryptojacking campaigns.

Active since at least 2019, TeamTNT is considered something of an “anomaly” by cybersecurity researchers from Intezer.

The group is vocal on Twitter and interacts publicly with cybersecurity companies who write about them, an example being a recent exchange with Trend Micro. Cybercriminals don’t often refute evidence pointing their way when it comes to who is responsible for campaigns, but in TeamTNT’s case, the group has denied responsibility for some attacks attributed to them by researchers.

In addition, many prolific hacking groups are suspected of being of Russian, Chinese, or Iranian origin, but TeamTNT appears to be German-speaking based on their interactions and comments in shell scripts.

According to a white paper (.PDF) published by Intezer, TeamTNT’s toolkit has stayed relatively consistent. The threat actor — or actors — are described as “one of the predominant cryptojacking threat actors currently targeting Linux servers,” having pivoted from targeted servers running Docker and Redis to mainly Kubernetes clusters today.

The cybersecurity researchers have also found evidence of experimentation with Windows binaries on a server associated with TeamTNT, which may suggest Windows machines could also be on the radar.

TeamTNT generally relies on shell scripts and compiled binaries to compromise Linux systems. For example, in Trend Micro’s research report — the same that the threat actor mocked — the team found malicious implementations of Weave Scope, a legitimate tool for monitoring and managing Docker containers and Kubernetes clusters.

When it comes to malware, TeamTNT may drop AWS/SSH credential stealers, an Internet Relay Chat (IRC) bot named Tsunami, the Rathole backdoor, as well as shell scripts designed to steal configuration information and remain undetected.

The majority of the tools at hand are either open source or based on publicly available code — however, a handful of custom code samples have been obtained, revealing a focus on obfuscation.

“TeamTNT has employed techniques to hide their activities on compromised machines, making incident response investigations more difficult,” Intezer says. “All of their scripts are designed to be executed without being written to disk or self-deleted after execution. They have used techniques of hiding their running processes by mounting an empty folder over the process entry within the procfs, or by using UserLand and kernel-level rootkits.”

Aside from the theft of data, TeamTNT specializes in cryptojacking, the compromise of servers and other machines to implant cryptocurrency miners. When used in this way, miners harness compute power to covertly mine for coins including Monero (XMR).

Miners will be spun up if systems are rebooted through cron jobs, thereby maintaining persistence, and according to the research team, TeamTNT may also establish firewall rules to stop external network connections to stop competing malware intrusions.

Scripts deployed by the threat actors are also tasked with clearing out any other malware infections from a compromised machine.

In 2020, Aqua Security found malicious Docker images associated with the threat actors. These images, described as “well-built,” contained malware including Tsunami and Mirai, a variety of backdoors, Docker escape tools, and Potentially Unwanted Applications (PUAs). ESET has also linked an encrypted Golang binary to the threat actors that executes malware in memory.

Research conducted late in 2021 by Anomali and the Sysdig Threat Research Team has reached similar conclusions concerning TeamTNT’s toolkit and modus operandi.

In a campaign last year, first spotted by Palo Alto Networks, Kubernetes clusters were exploited through the Hildegard malware. In this instance, the cyberattackers did not use container images; instead, a reverse shell and activities designed to exploit existing containers were in use.

TeamTNT appears to be showing no signs of stopping. Speaking to Cybersecurity Ventures, Kevin Jacque, global security architect at Venafi, said that groups like TeamTNT “are getting more sophisticated every day and they’re always looking for the path of least resistance.”

“Weak or vulnerable SSH keys that serve as machine identities for applications, containers, and clusters on the ground or in the cloud definitely offer these groups all kinds of benefits: escalation of privileges, pivoting across networks and long-term backdoors,” Jacque commented. “This is because most organizations don’t have good machine identity security controls in place. The best thing organizations can do to protect these critical security controls used in Linux or Kubernetes clusters is to continuously monitor their SSH estate, especially in the cloud. You can’t protect anything if you don’t know you have it.”

Steve Judd, Solutions Architect at Kubernetes security specialist Jetstack, told us developers should also consider hardening their Kubernetes pods to stop attacks spreading through clusters by way of least-privilege principles, implementing robust network access policies, restricting pod egress, and potentially using distro-less base images in Docker.

Charlie Osborne is a journalist covering security for ZDNet. Her work also appears on TechRepublic, Cybercrime Magazine, and other media outlets. 

Go here to read all of Charlie’s Cybercrime Magazine articles.