Upgraded crypto-mining malware now steals AWS credentials

News
By
published

TeamTNT is actively stealing AWS credentials from misconfigured Docker and Kubernetes systems

(Image credit: Shutterstock)

The crypto-mining malware used by the cybercrime group TeamTNT has been updated with new functionality that allows it to steal AWS credentials from infected servers.

The group has been operating since at least April of this year according to a report from Trend Micro, whose researchers discovered its cyptocurrency miner along with a DDoS bot used to target Docker systems while investigating an open directory containing malicious files first discovered by MalwareHunterTeam.

TeamTNT scans the internet searching for misconfigured Docker APIs that have been left exposed online without a password. When the group finds a vulnerable Docker system, it deploys servers inside the installation to launch DDoS attacks and run crypto-mining malware. 

However, TeamTNT is just one of many cybercrime gangs that employs similar tactics in order to take advantage of organizations whose systems are not properly secured online.

First cryptocurrency, now credentials

According to a new report from the UK-based security firm Cado Security, TeamTNT has expanded the scope of its malware to target Kubernetes installations while also adding a new feature that scans infected servers for any AWS credentials.

If an infected Docker or Kubernetes system runs on top of AWS infrastructure, the group scans for AWS credentials and configuration files, copies them and then uploads them to its command-and-control server. To make matters worse, both the ~/.aws/credentials and ~/.aws/config files stolen by TeamTNT are unencrypted and contain plaintext credentials and configuration details for a target's AWS account and infrastructure.

Thankfully though, the group has not yet used any of the stolen credentials according to researchers at Cabo Security who sent a collection of canary credentials to its C&C server which have yet to have been used.

Team TNT and its crypto-mining malware pose a serious threat to organizations as the group will likely be able to boost its profits significantly by either selling the stolen credentials or using them to mine additional cryptocurrency.

Via ZDNet

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
A close-up of a phone screen showing the Telegram, Signal and WhatsApp apps
Agentic AI has “profound” issues with security and privacy, Signal President says
botnet
Another top security camera maker is seeing devices hijacked into botnet
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide
How to prevent cyberattacks
NTT admits hackers accessed details of almost 18,000 corporate customers in cyberattack
Latest in News
Twitter social media application change logo to X. Elon Musk CEO of twitter rebranded Twitter to 'X'. Social media application technology concept.
X is down again – here's everything we know about Twitter's third outage of the day
Nvidia geforce rtx 3050
RTX 5050 rumors detail full spec of desktop graphics card, suggesting Nvidia may use slower video RAM – but I wouldn’t panic yet
OnePlus 13
OnePlus is ditching the Alert Slider for an iPhone-style customizable button - and I’ll be sad to see it go
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
Q Acoustics Q SUB80, QSUB100 and QSUB120 subwoofers
Q Acoustics wants to bring the bass to your post-Oscars movie catch-up
Hospital
Major Oracle outage hits US Federal health record systems
More about security
A hacker wearing a hoodie sitting at a computer, his face hidden.

Experts warn this critical PHP vulnerability could be set to become a global problem
botnet

Another top security camera maker is seeing devices hijacked into botnet
March Madness TV deals

Best Buy just launched a mega March Madness TV sale: record-low prices from $259.99
See more latest
Most Popular
Twitter social media application change logo to X. Elon Musk CEO of twitter rebranded Twitter to 'X'. Social media application technology concept.
X is down again – here's everything we know about Twitter's third outage of the day
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Tuesday, March 11 (game #373)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Tuesday, March 11 (game #639)
Quordle on a smartphone held in a hand
Quordle hints and answers for Tuesday, March 11 (game #1142)
botnet
Another top security camera maker is seeing devices hijacked into botnet
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
OnePlus 13
OnePlus is ditching the Alert Slider for an iPhone-style customizable button - and I’ll be sad to see it go
Nvidia geforce rtx 3050
RTX 5050 rumors detail full spec of desktop graphics card, suggesting Nvidia may use slower video RAM – but I wouldn’t panic yet
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide