Nearly 50,000 IPs Compromised in Kubernetes ClustersTrend Micro: Cryptojacking Group TeamTNT Targets Clusters in Wormlike Attack
Researchers at Trend Micro say about 50,000 IPs were compromised across multiple Kubernetes clusters in a wormlike attack by the cloud-focused cryptojacking group TeamTNT.
See Also: Case Study: The Road to Zero Trust
Kubernetes, developed and backed by Google, is one of the most widely adopted container orchestration platforms for automating the deployment, scaling and management of containerized applications.
"The high number of targets shows that TeamTNT is still expanding its reach, especially in cloud environments, and perhaps infrastructure, since the group can monetize a more significant amount from their campaigns with more potential victims," Magno Logan, information security specialist and senior threat researcher at Trend Micro, writes in a blog post.
Kubernetes clusters are an attractive attack target because they are often misconfigured, the researchers say.
TeamTNT is a cloud-focused cryptojacking group that often targets Amazon Web Services credential files on compromised cloud systems to mine for the cryptocurrency Monero. Security researchers first spotted the group in 2020.
The group has been scanning for and compromising Kubernetes clusters in the wild, Trend Micro reports. Several IPs were repeatedly exploited between March and May, the company says.
In previous research, Trend Micro highlighted that TeamTNT was actively stealing AWS, Docker and Linux Secure Shell credentials as well waging cryptojacking attacks and placing backdoors - such as IRC bots and remote shells - inside Linux devices.
Researchers’ observed that most compromised nodes identified in internet service providers and cloud service providers were in China and the U.S.
Lewis Jones, threat intelligence analyst at managed services provider Talion, notes TeamTNT is primarily focused on cryptomining operations. “It has revamped its tactics to increase its credential harvesting capabilities," Jones says. "The group first came up on the radar of security teams in 2020 when it developed the first cryptomining worm to steal AWS credentials. Since then, the group's focus has shifted to targeting cloud and container environments."
Trend Micro researchers analyzed one of the scripts they collected from a TeamTNT server.
TeamTNT initially sought to disable the bash history on the target host and define environment variables for its command-and-control server, such as the script to install the crypto miner later and the binary of the XMRig Monero miner, the researchers say.
"The script also installs two free, open-source tools available from GitHub, the network scanning tool masscan - developed in C - and the banner-grabbing, deprecated Zgrab - developed in Go. The new version Zgrab2 is also open source and available on GitHub but is not installed with the script," Trend Micro researchers note.
TeamTNT then installs its Internet Relay Chat bot. Researchers discovered that the IRC bot is written in C and is stored on the /tmp folder under the name kube.c to avoid suspicion.
"The bot code is compiled with Gnu Compiler Collection and removed after compiling completes. The resulting binary generated is then moved to the /root folder and renamed to kube," the researchers say.
An IRC bot is a set of scripts or an independent program that connects to Internet Relay Chat as a client, so it appears to other IRC users as another user. The IRC bot used by Team TNT, also written in C, is based on another well-known IRC bot called Kaiten. The researchers found that in the last part of the script, a function - kube_pwn() - uses Masscan to check any hosts with port 10250 open.
Once the connection is established, the attackers then use the Masscan port scanner to scan the internal network of the targeted Kubernetes cluster to look for other unsecured or misconfigured Kubelet agents.
Single Gateway a Vulnerability
Microservice or service mesh architecture is often treated as a single unit secured by a central gateway that controls access to the whole cluster, says Pascal Geenens, director of threat intelligence at security company Radware. “Once inside the cluster, an attacker operates within the circle of trust with little to no resistance against lateral movement between containers.”
Geenens says that now that applications are fragmented into smaller, independent microservices, their central security should also be broken down into small security services to secure each individual container and service. This would provide more resistance against lateral movement, preventing a single exploited container providing access to thousands or even hundreds of thousands of containers.
Malware often aims to target misconfigured or unsecured Kubelet agents that run on each node in the container cluster, Trend Micro researchers say. These agents make sure that containers are running in a "pod" and can receive commands and instructions from the Kubernetes API server. From there, the malware deploys a cryptomining script and starts mining for Monero.
"This latest development shows that the group's worming attacks are working exceptionally well against misconfigured and vulnerable Kubernetes endpoints," Jones says. "The fact that over 50,000 have already been compromised shows that this campaign could reach a huge number of endpoints. This is especially so given that it appears that certain endpoints become repeatedly exploited, demonstrating that the campaign is easily scalable due to automation." Jones note.
Other TeamTNT Activity
Earlier, researchers uncovered several other cryptomining campaigns tied to TeamTNT.
In February, Palo Alto Networks' Unit 42 reported that an undocumented malware variant called "Hildegard" was targeting Kubernetes clusters, also likely the work of TeamTNT (see: Cryptojacker Targets Exposed Docker Daemon APIs).
In August 2020, the firm Cado Security found that TeamTNT had deployed a cryptomining botnet that would also steal Amazon Web Services user credentials (see: Cryptomining Botnet Steals AWS Credentials).