Threat actor group, TeamTNT, compromised multiple cloud instances and containerized environments.
Target list includes Docker, Redis server, AWS, and Kubernetes.
Reconnaissance
Credential Stealing
Installing backdoors, rootkits stealer, botnets, and miners
Maintain access and moving laterally
Cryptojacking
Network/ Port scanning tools
Malicious Binaries
Packers and Crypters
Credential Stealers
PWN Remote Services
Analysis and Attribution
History
TeamTNT goes by the Twitter handle “@HildeTnT / HildeGard@TeamTNT”
During their attack period, the group was very active on Twitter, posting and discussing:
Attacks conducted
Servers compromised
Tools employed
The group most likely originates from Germany because:
Most of the tweets and bash scripts are in the German language.
The account’s location is set to Deutschland.
Comments in the bash scripts contain words from the German language.
Information from OSINT
The following Tweet made on the group’s official account, suggests that it is a collective of 12 individuals (or more if they hired new people in late 2020).
TeamTNT’s Tweet about managing a group of 12 programmers
TeamTNT’s Github profile contains 25 public repositories, most of which are the forks of the popular red teaming tools and other repositories possibly leveraged by them.
The following domain was used by the group to host their malicious files and scripts while performing the attack: https://teamtnt[.]red.
CloudSEK researchers were able to gather the following information about the domain:
Domain was registered on 10 February 2020
During the same time TeamTNT had begun to actively target Redis servers
Domain is currently inactive
Some screenshots of the domain are still available on Wayback Machine
Timeline of TeamTNT
Event Timeline of TeamTNT
Redis Attacks (February 2020)
The group has been active since February 2020 when they launched their first campaign targeting Redis servers.
Attack flow for targeting the Redis server
The motive behind the attack was cryptojacking and the following tools were used:
pnscan – An open-source parallel network scanner, used to scan the whole internet and look for the services listening on the default Redis port (port: 6379). The setup script generates the payload that is executed on the Redis servers.
Tsunami – An open-source botnet, aslo known as titan or ziggystartux, used to perform DDoS attacks against targets or to execute commands on the infected machine.
xmrigCC– A tool used for mining crypto.
watchdog.c – A type of monitoring tool used in Linux for monitoring the mining process.
Punk.py – A post-exploitation tool meant to help network pivot from a compromised Unix box. This tool collects usernames, SSH keys, as well as known hosts from a Unix systemt and then tries to connect via SSH to all the combinations found.
Detailed breakdown of the setup script used in Redis campaign
Docker Attacks (May 2020)
In May 2020, the group started targeting Docker by employing the same Bash scripts and malware.
The group’s primary motive remained the same, i.e cryptojacking.
A new tool was added to their arsenal:
masscan – A TCP port scanner used to find misconfigured Docker services by scanning exposed ports and services. Once a victim is located, using masscan and zgrab, the attacker creates a container using Alpine image and passes an argument to the script which downloads and executes other malicious scripts.
Targeting Docker Instances using a Bash script
Improvised Docker Attacks (August 2020)
The group continued their attacks on Docker however they started using the Ubuntu images directly instead of Alpine.
The group started using a Linux Kernel Module (LKM) rootkit named Diamorphine to hide their activities on infected machines.
AWS credential-stealing capabilities were added into their scripts.
Weavescope Attacks (September 2020)
TeamTNT added started exploiting Weavescope for troubleshooting and leveraging it as a backdoor for the following:
Gaining full access to the victim’s cloud environment
Monitoring Docker, Kubernetes, the Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS)
Running shell commands
The group began using two new tools to steal credentials from browser history and network connections:
The group’s target list remained the same but they expanded their credential-stealing capabilities, to the following services and applications.
AWS
Shodan
PostgreSQL
S3 buckets
GCP
SMB
Docker
ngrok
Hexchat
SSH
MoneroGuiWallet
Filezilla
Davfs2
GitHub
They added the plugin of AWS CLI in their script to exfiltrate maximum information about the instance inclduing resources, instance, roles, volumes, etc.
Chimaera Campaign (July 2021)
On 25 July 2021, TeamTNT launched a campaign named “Chimaera” where they continued their attacks on Docker, Kubernetes, and Weavescope services.
To maintain transparency, the group created a dashboard on their website that displayed campaign statistics.
Chimaera campaign dashboard to display statistics on the website
The group significantly improved their enumeration technique by adding over 70 unique AWS CLI commands designed to enumerate the following 7 AWS services:
IAM configuration
EC2 instances
S3 buckets
Support cases
Direct connection
CloudTrail
CloudFormation
They also started employing LaZagne, another open-source application, to enhance their credential-stealing capabilities.
Techniques, Tactics & Procedures (TTPs)
TTPs employed by TeamTNT
TeamTNT essentially employed the same strategies across all of its campaigns, however they did it by making the following adjustments to their methods:
Account manipulation by adding their own SSH authorized_keys on compromised servers.
Installing a scanner to scan the entire internal network for lateral movements.
Using process monitoring tools to restart processes.
Using scripts to install all sorts of tools, malware, and miner.
Packing binaries to evade normal security checks .
Using obfuscation and encodings in bash scripts and while communicating through C2 servers.
Using kernel-level rootkits to hide their process.
Deploying own containers for attacks and mining.
Using data stealing cloud service credentials.
Resource hijacking and deploying XMRig Docker images to mine cryptocurrency.
Tools & Exploits
TeamTNT employed mostly open-source tools and depended heavily on bash scripts to manage all the tools. The table below contain the list of tools used by them for conducting their activities.