Having covered TeamTNT in several of our blog entries over the past couple of years, we embarked on a research that encompasses the malicious actor group’s campaigns, tools, and techniques in 2020 and early 2021.
Although believed to have been active since 2011, TeamTNT stayed under the radar for many years before exploding onto the scene in 2020. In the past year, the group launched a few preliminary campaigns, including such notable ones as a series of cryptocurrency mining and distributed denial-of-service (DDoS) attacks on Docker Daemon parts, and a campaign where it deployed a DDoS-capable IRC (Internet Relay Chat) bot. Things ramped up in early 2021, as TeamTNT initiated a number of new campaigns targeting various cloud services and using tools and techniques such as malicious shell scripts and other credential harvesting software to steal cloud credentials.
Probing for and exploiting security weaknesses
What makes TeamTNT particularly noteworthy is not only its targets — primarily cloud-based software and services — but also how quickly it has evolved existing techniques and integrated new ones into its campaigns.
Be that as it may, in most of the group’s campaigns, TeamTNT’s method of entry is more or less consistent: It uses a number of tools to scan the internet for potential targets with misconfigurations and vulnerabilities, and takes advantage of these weaknesses to gain a foothold in the systems. TeamTNT specializes in finding exploitable gaps in security, be they unsecured Redis instances, exposed Docker APIs, vulnerable internet-of-things (IoT) devices, or leaked credentials.
For a victim organization, the group’s payloads, if successfully deployed, could at best be disruptive — as with cryptocurrency miners — and at worst cause heavy monetary loss and even reputational damage — especially if the group manages to exfiltrate credentials and other sensitive information from the organization.
Dealing with misconfigurations and other security concerns
TeamTNT has largely been successful because of various exploitable security weaknesses. While it is admittedly difficult to completely eliminate these, enterprises need to prioritize security as much as they can. They should implement the most effective strategies for protecting the cloud from external attacks, while also being mindful of which aspects of the shared responsibility model they need to be accountable for.
Here are several best practices that organizations should consider putting into place:
Enterprises should also consider using security solutions such as the Trend Micro Cloud One™ platform, which protects cloud-native systems by securing continuous-integration and continuous-delivery (CI/CD) pipelines and applications. The platform includes: