Type
Campaign
Actors
SilentBobTeamTNT
Pub. date
July 13, 2023
Initial access
Software misconfig
Impact
Resource hijacking
Observed techniques
Create SSH backdoorSteal EC2 Instance CredentialsIMDS abuseCredential theft
Observed tools
ngroktmateGsocketXMRigPacuPeiratesTsunamiZgrabMasscan
Targeted technologies
KubernetesNGINXJupyter NotebookJupyterLabRedisDockerApache Hadoop
References
https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attackhttps://www.sentinelone.com/labs/cloudy-with-a-chance-of-credentials-aws-targeting-cred-stealer-expands-to-azure-gcp/https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/
Status
Finalized
Last edited
Jun 2, 2024 8:02 AM
A cloud attack campaign possibly orchestrated by the threat actor known as TeamTNT. The campaign primarily involves an aggressive cloud worm that targets JupyterLab and Docker APIs to deploy Tsunami malware, hijack cloud credentials, and execute resource hijacking.
On July 13, 2023, New research was published that found the campaign to be targeting additional services - Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter applications, across all CSPs. Additional tools and techniques were observed by researchers, and new indicators of compromise were detected. Customers are advised to check their environments for the newly discovered IoCs.