Cyber Security

Over 50,000 Ips Across Multiple Kubernetes Clusters Were Compromised By the TeamTNT Threat Actors

Researchers from Trend Micro disclosed that close to 50,000 IPs were compromised across multiple Kubernetes clusters in a cryptojacking campaign conducted by the TeamTNT group.

Kubernetes, developed and backed by Google, is one of the most widely adopted container orchestration platforms for automating the deployment, scaling, and management of containerized applications.

It makes an attractive target for threat actors as they are often misconfigured, especially those running primarily in cloud environments with access to nearly infinite resources.

The analysis says, close to 50,000 IPs found compromised by this attack perpetrated by TeamTNT across multiple clusters. More than a few IPs were repeatedly exploited during the timeframe and the majority of the compromised nodes were from China and the US. 

How a Kubernetes Cluster is Compromised?

Previously, Trend Micro highlighted that TeamTNT was actively stealing AWS, Docker, and Linux Secure Shell credentials as well waging cryptojacking attacks and placing backdoors – such as IRC bots and remote shells – inside Linux devices.

Researchers at Trend Micro analyzed one of the scripts they collected from a TeamTNT server. “TeamTNT at first wanted to disable the bash history on the target host and define environment variables for its command-and-control server, such as the script to install the crypto miner later and the binary of the XMRig Monero miner”, TrendMicro researchers say.

The script also installs two free, open-source tools available from GitHub, the network scanning tool masscan, developed in C and the banner-grabbing, deprecated Zgrab, developed in Go. The new version Zgrab2 is also open source and available on GitHub but is not installed with the script.

TeamTNT subsequently installs its Internet Relay Chatbot. It is discovered that the IRC bot is written in C and is stored on the /tmp folder under the name kube.c to avoid suspicion.

The bot code is compiled with Gnu Compiler Collection and removed after compiling completes. The resulting binary generated is then moved to the /root folder and renamed to kube.

An IRC bot is a set of scripts or an independent program that connects to Internet Relay Chat as a client, so it appears to other IRC users as another user. The IRC bot used by Team TNT, written in C, is based on another well-known IRC bot called Kaiten. In the last part of the script, a function – kube_pwn() – uses Masscan to check any hosts with port 10250 open.

“Once the connection is established, the attackers then use the Masscan port scanner to scan the internal network of the targeted Kubernetes cluster to look for other unsecured or misconfigured Kubelet agents”, reads the analysis published by Trend Micro.

Kubelets

This port belongs to the kubelet API, and by default, it is open on all nodes of a cluster, including the control plane and worker nodes.  Kubelet is the agent that runs on each node and ensures that all containers are running in a pod. It is also the agent that is responsible for any configuration changes on the nodes.

For each container running on each node, it takes advantage of the /run endpoint on the kubelet API to run the following commands:

1. Updates the package index of the container.

2. Installs the following packages: bash, wget and curl.

3. Downloads a shell script called setup_xmr.sh from the TeamTNT C&C server and saves it on the tmp folder.

4. Executes the script to start mining for the Monero cryptocurrency.

Final Word

Researchers mention that the constant use of crypto-jacking and credential-stealing point out that these will remain in the threat actor’s primary collection of techniques for the near future.

The high number of targets shows that TeamTNT is still expanding its reach (especially in cloud environments) and perhaps infrastructure since the group can monetize a more significant amount from their campaigns with more potential victims.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

NVIDIA ChatRTX For Windows App Vulnerability Let Attackers Escalate Privilege

A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…

37 mins ago

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

A new threat has emerged, targeting unsuspecting iPhone users through the seemingly secure iMefofferssage platform.…

53 mins ago

2 Chrome Zero-Days Exploited At Pwn2Own 2024 : Patch Now

Google patched seven vulnerabilities in the Chrome browser on Tuesday, including two zero-day exploits that…

2 hours ago

Source Code of Italian anti-piracy Platform Privacy Shield Leaked on GitHub

The source code and documentation of the Italian anti-piracy platform Privacy Shield have reportedly been…

4 hours ago

Wireshark 4.2.4 Released : What’s New!

Wireshark remains the go-to choice for both professionals and enthusiasts due to its unmatched capabilities…

9 hours ago

Microsoft Edge Flaw Let Hackers Silently Install Malicious Extensions

Guardio Labs has uncovered a significant vulnerability in Microsoft Edge, Microsoft's flagship web browser, that…

19 hours ago