TeamTNT, a notorious cybergang known for its container-based attacks on cloud infrastructure, has found Kubernetes to be a useful tool in its efforts to mine Monero cryptocurrency from other people’s servers, according to a new report from Unit 42, the research arm of Palo Alto Networks.
On their own four-node “Honeypot” Kubernetes cluster, the researchers watched the attackers roll out a sophisticated attack that commandeered their containers using common Linux and cloud native tools. The actions were part of a larger botnet, dubbed “Hildegard,” whose size is still undetermined.
“From another ongoing research, we do know that there are at least 2,000 misconfigured Kubernetes clusters,” noted Jay Chen, a Unit 42 senior cloud researcher. These misconfigured systems can be easily found by searching Shodan Internet of Things search engine, and the by search capabilities offered by security vendor Censys. “These misconfigured Kubernetes are all potential targets.”
Being infected by this botnet can be expensive and devastating for end users. “The most significant impact of the malware is resource hijacking and denial of service (DoS). The cryptojacking operation can quickly drain the entire system’s resources and disrupt every application in the cluster, the researchers wrote in their findings report.
Like the other, legitimate uses, of the open source container orchestration engine, Kubernetes brings the attackers heretofore unattainable scalability, given how a Kubernetes cluster can control hundreds or even thousands of containers. The attackers are quickly learning how to exploit this capability too. “This new TeamTNT malware campaign is one of the most complicated attacks targeting Kubernetes,” the researchers note.
The attackers found the honeypot through an unsecured internet-facing Kubelet that allowed anonymous access, through which they pinpointed a container within the cluster and set up shop, using tmate and an IRC to communicate back to headquarters and masscan to scan Kubernetes’ internal network. From there, it was easy to propagate software to other nodes within that cluster.
Malicious processes were hidden under the Linux
bioset process name, as well as through a library injection technique built on
LD_PRELOAD. Malicious payloads encrypted and tucked into a binary to avert detection by static analysis.
This is not the first cloud native tool the gang has deployed. Last year, Microsoft researchers observed TeamTNT download and run Weave Scope in cracked containers, to get a layout of the victim’s infrastructure, Threat Post reported. Last August, the Unit42 researchers also documented Cetus, a Docker-based Docker cryptojacking worm they allege was created by TeamTnT (not to be confused with the TeamTnT collective entity known creating add-on episodes of the Doom computer game). This shadowy entity also allegedly created Black-T, which targets credential files on Amazon Web Services, as well as the IRC bot, TeamTNT DDoS.
This new botnet seems to be quiet of late — no updates have been made since the researchers discovered it in early January.
“There has not been any activity since our initial detection, which indicates the threat campaign may still be in the reconnaissance and weaponization stage,” the researchers report. Nonetheless, the botnet on this honeypot cluster tapped into ~25.05 KH/s hashing power and has harvested 11 XMR (~$1,500) of Monero digital currency.
Palo Alto Networks also would like to remind everyone that customers running Prisma Cloud are protected from this threat, through the software’s Runtime Protection feature.
The report offers a full rundown on the techniques and technologies used to infiltrate cluster, and the impact these actions have on the infected system.
Palo Alto Networks is a sponsor of The New Stack.
Feature image: New Old Stock.