TeamTNT (or someone a lot like them) may be preparing a major campaign.
By Jason Cole, CyberWire staff writer.
Jul 17, 2023

SentinelOne, Permiso, and Aqua Security expose a looming attack on Microsoft Azure and Google Cloud Platform. 


TeamTNT (or someone a lot like them) may be preparing a major campaign.

Researchers at SentinelOne and Permiso Security released joint reports suggesting that TeamTNT, a threat actor notorious for attacking Amazon Web Services (AWS), may be gearing up to attack Microsoft Azure and Google Cloud Platform. “Throughout June 2023, an actor behind a cloud credentials stealing campaign has expanded their tooling to target Azure and Google Cloud Platform (GCP) services. Previously, this actor focused exclusively on Amazon Web Services (AWS) credentials… These campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew. However, attribution remains challenging with script-based tools, as anyone can adapt the code for their own use,” writes Alex Delamonte from SentinelOne. Permiso brought some attribution to the threat actors by correlating usernames and passwords used and keyboard layouts writing, “Both the username and password are indicative of a keyboard run - the username on the home row keys and the password on the upper row keys. However, with all other characters being Latin the likely scenario that would produce a single ü is the usage of a virtual keyboard. Since the ü immediately follows the letter p in the password, the only two virtual keyboard layouts that contain an ü adjacent to the p character are for the Estonian and German languages.”

Retooling for attacks against Azure and Google Cloud.

Both SentinelOne and Permiso note that the actor has retooled its code to target Azure and Google Cloud Platform. Additionally, they have made changes to the file hosting as SentinelOne explains, “The actor no longer hosts files in an open directory, which complicates efforts to track and analyze these campaigns. Instead, C2 activity relies on a hardcoded username and password combination that are passed as arguments to the curl command.”

Aqua Security reported on the early stages of this incipient campaign. While it seems to be in its development and testing phase, the campaign could turn into a massive threat targeting cloud infrastructure. “Aqua Nautilus researchers identified an infrastructure of a potentially massive campaign against cloud native environments. This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials hijack, resource hijack and further infestation of the worm. We strongly believe that TeamTNT is behind this new campaign.”