Having covered TeamTNT in several of our blog entries over the past couple of years, we embarked on a research that encompasses the malicious actor group’s campaigns, tools, and techniques in 2020 and early 2021.
Although believed to have been active since 2011, TeamTNT stayed under the radar for many years before exploding onto the scene in 2020. In the past year, the group launched a few preliminary campaigns, including such notable ones as a series of cryptocurrency mining and distributed denial-of-service (DDoS) attacks on Docker Daemon parts, and a campaign where it deployed a DDoS-capable IRC (Internet Relay Chat) bot. Things ramped up in early 2021, as TeamTNT initiated a number of new campaigns targeting various cloud services and using tools and techniques such as malicious shell scripts and other credential harvesting software to steal cloud credentials.
Probing for and exploiting security weaknesses
What makes TeamTNT particularly noteworthy is not only its targets — primarily cloud-based software and services — but also how quickly it has evolved existing techniques and integrated new ones into its campaigns.
Be that as it may, in most of the group’s campaigns, TeamTNT’s method of entry is more or less consistent: It uses a number of tools to scan the internet for potential targets with misconfigurations and vulnerabilities, and takes advantage of these weaknesses to gain a foothold in the systems. TeamTNT specializes in finding exploitable gaps in security, be they unsecured Redis instances, exposed Docker APIs, vulnerable internet-of-things (IoT) devices, or leaked credentials.
For a victim organization, the group’s payloads, if successfully deployed, could at best be disruptive — as with cryptocurrency miners — and at worst cause heavy monetary loss and even reputational damage — especially if the group manages to exfiltrate credentials and other sensitive information from the organization.
Dealing with misconfigurations and other security concerns
TeamTNT has largely been successful because of various exploitable security weaknesses. While it is admittedly difficult to completely eliminate these, enterprises need to prioritize security as much as they can. They should implement the most effective strategies for protecting the cloud from external attacks, while also being mindful of which aspects of the shared responsibility model they need to be accountable for.
Here are several best practices that organizations should consider putting into place:
- Grant users access only to the parts of the system they need in order to reduce possible entry points and contain damage even in the event of a successful attack. This is known as the principle of least privilege.
- Implement private keys authentication for Secure Shell (SSH) on the client side for stronger access control security.
- Regularly patch and update systems and devices to minimize instances of vulnerability exploitation. For organizations that need time to implement patches, virtual patching can provide buffer time, helping protect their systems from vulnerabilities while updates are still being prepared.
Enterprises should also consider using security solutions such as the Trend Micro Cloud One™ platform, which protects cloud-native systems by securing continuous-integration and continuous-delivery (CI/CD) pipelines and applications. The platform includes:
- Workload Security: runtime protection for workloads
- Container Security: automated container image and registry scanning
- File Storage Security: security for cloud files and object storage services
- Network Security: cloud network layer for intrusion prevention system (IPS) security
- Application Security: security for serverless functions, APIs, and applications
- Conformity: real-time security for cloud infrastructure — secure, optimize, comply