Full Report
A cloud attack campaign possibly orchestrated by the threat actor known as TeamTNT. The campaign primarily involves an aggressive cloud worm that targets JupyterLab and Docker APIs to deploy Tsunami malware, hijack cloud credentials, and execute resource hijacking.On July 13, ...
Analysis Summary
# Incident Report: SilentBob/TeamTNT Cloud Worm Campaign Targeting Cloud Resources
## Executive Summary
A pervasive cloud attack campaign, attributed to the actor known as TeamTNT, utilized an aggressive cloud worm targeting exposed APIs and services like JupyterLab and Docker. The primary goals were credential hijacking and resource hijacking, often involving the deployment of Tsunami malware for cryptomining goals. Response efforts focused on identifying compromised environments and mitigating known Indicators of Compromise (IoCs).
## Incident Details
- **Discovery Date:** Research published July 13, 2023 (indicating ongoing activity prior)
- **Incident Date:** Activity observed preceding and around July 13, 2023
- **Affected Organization:** Multiple cloud environments across various CSPs (Cloud Service Providers)
- **Sector:** Cloud Infrastructure/Technology (Broadly affected)
- **Geography:** Global (targeting CSP-hosted environments)
## Timeline of Events
### Initial Access
- **Date/Time:** Activity observed preceding and around July 13, 2023
- **Vector:** Internet-facing service misconfiguration and exposed APIs.
- **Details:** Exploitation targets included JupyterLab APIs, Docker APIs, exposed SSH, Kubernetes, NGINX, Redis, Postgres, and Hadoop clusters.
### Lateral Movement
- **Details:** The worm appears designed for automated propagation across cloud environments. Techniques observed include the creation of an SSH backdoor for persistence and using IMDS (Instance Metadata Service) abuse to steal EC2/Cloud credentials. Observed tools like Pacu suggest automated lateral movement and credential harvesting.
### Data Exfiltration/Impact
- **Impact:** Primarily resource hijacking (Cryptomining via XMRig), credential theft (stealing EC2 credentials), and deployment of Tsunami malware.
### Detection & Response
- **How it was discovered:** Public research and threat intelligence sharing (July 13, 2023).
- **Response actions taken:** Customers were advised to check environments for newly discovered IoCs associated with these tools and techniques.
## Attack Methodology
- **Initial Access:** Software misconfiguration; direct exploitation of exposed JupyterLab and Docker APIs.
- **Persistence:** Creation of `SSH backdoor`.
- **Privilege Escalation:** Not explicitly detailed, but likely leveraging cloud misconfigurations or stolen metadata credentials.
- **Defense Evasion:** Use of legitimate infrastructure tools (e.g., ngrok, tmate) combined with malware deployment.
- **Credential Access:** Stealing EC2 Instance Credentials; leveraging IMDS abuse.
- **Discovery:** Techniques likely included port scanning/discovery tools like `Masscan`.
- **Lateral Movement:** Cloud worm propagation; use of tools like `Pacu` (AWS exploitation framework).
- **Collection:** Harvesting cloud credentials.
- **Exfiltration:** Not the primary goal, but configuration data/credentials potentially exfiltrated or used internally.
- **Impact:** Resource hijacking (Cryptomining using XMRig), deployment of Tsunami malware.
## Impact Assessment
- **Financial:** Costs associated with unauthorized resource consumption (cloud billing overages due to cryptomining).
- **Data Breach:** Theft of sensitive cloud credentials (EC2/Cloud access keys).
- **Operational:** Potential service disruption or degradation due to resource exhaustion from cryptomining.
- **Reputational:** Negative impact due to compromises across diverse cloud installations.
## Indicators of Compromise
- **Network indicators (Defanged):** Related to command-and-control for Tsunami malware, XMRig communication, or C2 infrastructure utilized by `ngrok` or `tmate`.
- **File indicators:** Deployments of `Tsunami` malware, `XMRig` executables.
- **Behavioral indicators:** Creation of unauthorized SSH keys/backdoors, excessive API calls indicative of IMDS probing, and high outbound network traffic consistent with cryptomining operations.
## Response Actions
- **Containment:** Disabling compromised exposed services (Jupyter, Docker APIs); revoking stolen credentials; isolating compromised VMs/instances.
- **Eradication:** Removing deployed malware (`Tsunami`, `XMRig`) and deleting unauthorized backdoors (`SSH backdoor`).
- **Recovery:** Hardening cloud configurations, patching exposed services, and restoring operational security baseline.
## Lessons Learned
- Over-exposed configuration management interfaces (JupyterLab, Docker API) present a critical, high-priority attack surface in cloud environments.
- Reliance on default or weak credentials in cloud services (leading to IMDS abuse) provides easy paths for lateral movement and privilege escalation.
- Cryptomining campaigns are a primary, immediate driver for automated cloud worm activity.
## Recommendations
- Immediately audit and restrict public internet access to all management APIs (Docker, Jupyter, Kubernetes dashboards).
- Implement strict IAM policies to enforce the principle of least privilege and minimize the impact of stolen credentials.
- Aggregate logs from all cloud services (Kubernetes, Redis, Databases) to quickly detect reconnaissance (Masscan) and unusual persistence (SSH backdoor creation).
- Utilize specialized Cloud Workload Protection Platform (CWPP) solutions to monitor for malware deployment (Tsunami) and cryptominer execution (XMRig) within compute instances.