SilentBob cryptomining campaign

Type

Campaign

Actors

🔇SilentBob 💣TeamTNT

Pub. date

July 13, 2023

Initial access

Software misconfig

Impact

Resource hijacking

Observed techniques

Create SSH backdoor Steal EC2 Instance Credentials IMDS abuse Credential theft

Observed tools

ngrok tmate Gsocket XMRig Pacu Peirates Tsunami Zgrab Masscan

Targeted technologies

K8s Worker Node NGINX Jupyter Notebook JupyterLab Redis Docker Apache Hadoop

References

https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attackhttps://www.sentinelone.com/labs/cloudy-with-a-chance-of-credentials-aws-targeting-cred-stealer-expands-to-azure-gcp/https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/

Status

Finalized

Last edited

Jun 2, 2024 8:02 AM

A cloud attack campaign possibly orchestrated by the threat actor known as TeamTNT. The campaign primarily involves an aggressive cloud worm that targets JupyterLab and Docker APIs to deploy Tsunami malware, hijack cloud credentials, and execute resource hijacking.

On July 13, 2023, New research was published that found the campaign to be targeting additional services - Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter applications, across all CSPs. Additional tools and techniques were observed by researchers, and new indicators of compromise were detected. Customers are advised to check their environments for the newly discovered IoCs.