Researchers reported Friday that TeamTNT is using compromised AWS credentials to attack AWS cloud environments via the cloud platform’s application programming interface. The threat actors are now also targeting the credentials of 16 additional applications, including the AWS apps as well as Google Cloud credentials.
The researchers said the threat actors can now identify all identity and access management (IAM) permissions, elastic computer cloud instances, S3 buckets, CloudTrail configurations, and CloudFormation operations granted to the compromised AWS credentials.
This attack was significant because in hitting Google Cloud it represents the first time attackers have targeted IAM credentials on compromised cloud instances outside of AWS. Although it’s still possible that TeamTNT could target the IAM credentials of Microsoft Azure, Alibaba Cloud, Oracle Cloud, or IBM Cloud using similar methods, Unit 42 researchers have yet to find evidence that there has been an attack on the other cloud providers. TeamTNT first started collecting AWS credentials on cloud instances they had compromised as early as August 2020.
In a blog post, Palo Alto’s Unit 42 researchers said these latest discoveries followed the threat group having targeted Kubernetes clusters and creating a new malware called Black-T that integrates open source cloud-native tools to advance its cryptojacking operations.
Yaniv Bar-Dayan, co-founder and CEO at Vulcan Cyber said any enterprise using cloud services needs to understand that offloading compute and storage infrastructure to a cloud provider doesn’t mean offloading cloud security. Companies still need to apply a comprehensive vulnerability management and mitigation plan to all cyber resources utilized by a company, including cloud apps.
“Cloud vulnerabilities are not the same as application vulnerabilities and both require different remediation and mitigation actions to protect from organizations like TeamTNT,” Bar-Dayan said. “We agree with Unit 42 researchers and reiterate the immediate need to protect cloud infrastructure using the appropriate remediation steps common to cloud environments such as configuration changes, compensating controls, and workarounds.”
TeamTNT starts by infiltrating a public cloud environment – with AWS by far the most prevalent target, though Google Cloud was hit this time around – and builds a map of the environment which includes scraped credentials, workloads, and storage, said Oliver Tavakoli, CTO at Vectra.
“All this represents the equivalent of establishing a base camp prior to climbing a high summit,” Tavakoli said. “Then the insertion of cryptomining software begins with TeamTNT counting on the fact that target organizations won’t notice the uptick in usage charges for a while.”