Chris Doman & Matt Georgy
As organizations have shifted to the cloud, it's not surprising that threat actors have followed. Below, we run through some of the most prominent attacks in the cloud today and how to perform cloud forensics and incident response to resolve them.
TeamTNT, the cloud and containers
TeamTNT is a cybercriminal group that targets cloud and container environments, using various techniques to compromise and exploit them. TeamTNT has been active since at least April 2020, and has evolved its tactics and tools over time. Some methods used by TeamTNT include:
- Scanning for exposed Docker APIs and Kubernetes clusters, and deploying malicious containers that run cryptojacking malware or backdoors:
Figure 1: How TeamTNT compromises systems over exposed Docker and Kubernetes APIs
- Stealing cloud credentials from compromised instances, and using them to access other cloud resources or services:
Figure 2: A shell script from TeamTNT that steals AWS credentials
- Installing a custom IRC botnet client that allows TeamTNT to remotely control the infected machines and execute commands.
- Leveraging open source tools such as Weave Scope, Peirates, and Kinsing to gain persistence, lateral movement, and privilege escalation in the cloud environment.
TeamTNT poses a serious threat to cloud and container security, as they can cause significant performance degradation and data theft. To protect against TeamTNT attacks, cloud and container users should follow best practices such as:
- Securing the Docker API....
