Security researchers at CloudSEK have uncovered a long-standing cyber threat from a group known as TeamTNT, which has been targeting cloud instances and containerized environments worldwide for over two years. The group’s activities date back to February 2020, with a Github profile containing 25 public repositories, many of which are forks of popular red teaming tools.
TeamTNT’s domain, registered in February 2020, aligns with their initial focus on targeting Redis servers for cryptojacking purposes. They deployed tools like pnscan, Tsunami, and xmrigCC in these early campaigns. By May 2020, the group expanded their attacks to Docker instances, using a mix of cryptojacking tools and a TCP port scanner called masscan along with malicious Alpine images.
As the months progressed, TeamTNT shifted to using Ubuntu images for Docker attacks and even introduced the Linux Kernel Module (LKM) rootkit Diamorphine to conceal their activities. They also began exploiting Weavescope as a backdoor and developed new hacking tools like Peirates, Botb, and libprocesshider to target Kubernetes systems.
In the latter half of 2021, TeamTNT continued their assaults on Docker, Kubernetes, and Weavescope services, expanding their credential-stealing capabilities to services like AWS, Filezilla, and GitHub. Their campaign named ‘Chimaera’ in July indicated a sustained focus on these targets.
Although the domain associated with TeamTNT is currently offline, screenshots are still accessible on the Wayback Machine. CloudSEK researchers noted that the group likely originates from Germany based on the language used in tweets and bash scripts.
This detailed timeline of TeamTNT’s activities sheds light on the persistent threat posed by this cybercriminal group to cloud environments and containerized systems. Organizations are urged to remain vigilant and implement robust security measures to protect against such threats.