The TeamTNT cybercrime gang has ramped up its attacks on the cloud over the past several months, this time launching a new malware campaign targeting Kubernetes clusters that culminated in a crytpojacking operation.
In a blog released Wednesday, Palo Alto’s Unit 42 researchers, said the attackers gained initial access via a misconfigured kubelet that allowed anonymous access. Once getting a foothold into a Kubernetes cluster, the malware attempted to spread over as many containers as possible, leading to the malicious activity.
The researchers said TeamTNT’s new campaign is the most feature-rich malware Unit 42 has seen from this group. They said on this round the threat actor developed more sophisticated tactics for initial access, execution, defense evasion and command and control. Although the malware is still under development and the campaign has not spread widely, Unit 42 believes the attacker will soon improve the tools and start a large-scale deployment.
Unlike a Docker engine that runs on a single host, a Kubernetes cluster typically contains more than one host and every host can run multiple containers. Given the abundant resources in a Kubernetes infrastructure, a hijacked Kubernetes cluster can be more profitable than a hijacked Docker host.
The researchers dubbed the new malware “Hildegard,” the user name of the tmate account that the malware used. TeamTNT has become known for exploiting unsecured Docker daemons and deploying malicious container images.
However, TeamTNT, which reportedly tweets in English and German but with origin that is still unknown, has never before targeted Kubnernetes environments, said the Unit 42 researchers.
Along with the same tools and domains identified in TeamTNT’s previous campaigns, this new malware carries multiple new capabilities that make it more stealthy and persistent. Hildegard has the following characteristics:
- Uses two ways to establish command and control connections: a tmate reverse shell and an Internet Relay Chat (IRC) channel.
- Leverages a known Linux process name (bioset) to disguise the malicious process.
- Runs a library injection technique based on LD_PRELOAD to hide the malicious processes.
- Encrypts the malicious payload inside a binary to make automated static analysis more difficult.
Tal Morgenstern, co-founder and chief product officer at Vulcan Cyber, said the threat actors leveraged a combination of Kubernetes misconfigurations and known vulnerabilities. Morgenstern said DevOps and IT teams must closely coordinate with their counterparts in security to prioritize remediation, especially for external-facing assets and high-risk vulnerabilities.
“It’s very possible to quickly secure Kubernetes,” Morgenstern said. “The remedies are available, but it takes work, focus and cross-team collaboration to get fix done and prevent these kinds of attacks.”
Jack Mannino, CEO at nVisium, agreed that this attack leveraged a common Kubernetes misconfiguration to gain persistence within the cluster.
“Combined with weakness in access control and isolation, this is a good way to gain a foothold into a cluster and establish command and control,” Mannino said. “As more production workloads move to cloud native, the complexity of securing clusters, software development pipelines, and cloud architectures becomes incredibly difficult, as the attack surface significantly expands.”