Crypto-mining worm steals aws credentials
AWS credentials-stealing worm targets Docker and Kubernetes systems. Security researchers from Cado Security have published a new report,  detailing the discover of a new botnet that has been active since at least April While crypto-malware is nothing new, this self-propagating worm is also capable of stealing Amazon Web Services AWS credentials in the background and delivering this information directly to cybercriminals' hands. Researchers said that the newly-discovered malware is relatively unique in regards to its functionality of AWS credential theft. According to Cado Security post, the worm targets various cloud-based platforms, such as Docker or Kubernetes:. The worm also steals local credentials, and scans the internet for misconfigured Docker platforms.
We are searching data for your request:
Crypto-mining worm steals aws credentials
Upon completion, a link will appear to access the found materials.
- Black-T: New Cryptojacking Variant from TeamTNT
- Cyjax research sees TeamTNT added to Mitre ATT&CK framework
- Crypto-mining worm steal AWS credentials
- Knowledge Center
- Crypto-mining worm steals AWS credentials
- TeamTNT Botnet Steals AWS Credentials From Compromised Servers
- AWS Cryptojacking Worm Spreads Through the Cloud
- The Hacker News - Cybersecurity News and Analysis: botnet
- Cryptojacking worm steals AWS credentials from Docker systems
- TeamTNT is the first cryptomining bot that steals AWS credentials
Black-T: New Cryptojacking Variant from TeamTNT
The frequent targeting of cloud and container environments are indicative of a vast attack surface for cybercriminals. It is the first botnet malware that is known to scan and steal AWS credentials. Attackers have compromised many Docker and Kubernetes systems along with Kubernetes clusters and Jenkins build servers.
The worm also deploys several openly available malware and offensive security tools including punk. The Kinsing worm was designed to bypass Alibaba Cloud security tools. In early April , a bitcoin-mining campaign used the Kinsing malware to scan for misconfigured Docker APIs, then spin up Docker images and install itself. Research team has flagged the latest set of campaigns as a unique development. It is likely that other worms will start to copy the ability to steal AWS credentials.
To thwart such attacks, organizations should consider reviewing their security configurations to protect AWS deployments from getting hijacked. Moreover, monitoring network traffic and using firewall rules to limit any access to Docker APIs is also recommended. The worm also steals local credentials and scans the internet for misconfigured Docker systems. Bottom line Research team has flagged the latest set of campaigns as a unique development. Like this: Like Loading Related Stories.
Next Sophisticated APT attacks into limelight. Leave a Reply Cancel reply. Loading Comments Email Name Website.
Cyjax research sees TeamTNT added to Mitre ATT&CK framework
The worm also steals local credentials, and scans the internet for misconfigured Docker platforms. These files are unencrypted and, in plain text, store the credentials for the AWS account, infrastructure, and configuration information. According to Cado Security experts, so far the attackers have not tried to use stolen credentials in any way. The fact is that the researchers transferred a batch of their own recorded data to the TeamTNT management server, but so far no third parties have tried to access any of these accounts.
Crypto-mining worm steal AWS credentials
By Nathaniel Quist. Category: Cloud , Unit Black-T follows the traditional TeamTNT tactics, techniques and procedures TTPs of targeting exposed Docker daemon APIs and performing scanning and cryptojacking operations on vulnerable systems of affected organizations. Of these new TTPs, most notable are the targeting and stopping of previously unknown cryptojacking worms i. Mimikatz is a tool capable of scraping plaintext passwords from Windows OS systems, and also has the capability to perform pass-the-hash and pass-the-token operations, allowing attackers to hijack user sessions. Any identified passwords which were obtained through mimipenguins are then exfiltrated to a TeamTNT command and control C2 node. The Black-T tool also has the capability to use three different network scanning tools to identify additional exposed Docker daemon APIs, within the local network of the compromised system and across any number of publicly accessible networks, to extend their cryptojacking operations.
Patriotic hacktivism? Cryptomining worm steals AWS credentials. Carnival discloses data incident. Suspected patriotic hacktivists are defacing websites. A cryptomining worm is stealing AWS credentials.
Crypto-mining worm steals AWS credentials
The TeamTNT cybercrime group has recently updated its crypto-mining worm with password-stealing capabilities and with an additional network scanner to make it easier to spread to other vulnerable devices. While known mostly for actively targeting Docker instances to use compromised systems for unauthorized Monero XMR mining, the group now shifted their tactics by upgrading their cryptojacking malware to also collect user credentials. Black-T, as the worm has been named by Unit 42, collects any plaintext passwords it finds in the compromised systems' memory and delivers them to TeamTNT's command and control servers. Password scraping and theft Unit The masscan scanner used by Black-T has also been updated to target the TCP port which might hint at TeamTnT potentially targeting Android devices, although the evidence for this is currently pretty flimsy according to Unit
TeamTNT Botnet Steals AWS Credentials From Compromised Servers
The TeamTNT botnet is a crypto-mining malware operation that has been active since April and that targets Docker installs. The activity of the TeamTNT group has been detailed by security firm Trend Micro, but the new feature was added only recently. The worm also steals local credentials, and scans the internet for misconfigured Docker platforms. The botnet operators have added a new feature that scans the underlying infected servers for any Amazon Web Services AWS credentials. The malware then copies and uploads both files to the command-and-control server sayhi.
AWS Cryptojacking Worm Spreads Through the Cloud
When the logins are harvested, the malware logs in and deploys the XMRig mining resource to mine Monero cryptocurrency. Protect yourself against all threads using Malwarebytes. It is, they mentioned, the to start with threat observed in the wild that precisely targets AWS for cryptojacking purposes.
The Hacker News - Cybersecurity News and Analysis: botnetRELATED VIDEO: They Hacked Thousands of Cloud Accounts Then Sent Us Weird GIFs
Support Home. The threat actor also targeted misconfigured Docker platforms located on the Internet. The mining of Monero crypto currency was carried out by the XMRig mining tool and the stolen funds were distributed to one of two Monero wallets. The malicious software also deployed a range of additional tools used for post exploitation and log cleaning and to install the Diamorphine rootkit and Tsunami IRC backdoor.
Cryptojacking worm steals AWS credentials from Docker systems
TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments. TeamTNT has obtained domains to host their payloads. TeamTNT has added batch scripts to the startup folder. TeamTNT has used batch scripts to download tools and executing cryptocurrency miners. TeamTNT has used shell scripts for execution. TeamTNT has checked for running containers with docker ps and for specific container names with docker inspect.
TeamTNT is the first cryptomining bot that steals AWS credentials
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily. Social engineering campaigns involving the deployment of the Emotet malware botnet have been observed using "unconventional" IP address formats for the first time in a bid to sidestep detection by security solutions. This involves the use of hexadecimal and octal representations of the IP address that, when processed by the underlying operating systems, get automatically converted "to the dotted decimal quad representation to initiate the request from the remote servers," Trend Micro's Threat Analyst, Ian Kenefick, said in a report Friday.