Nearly 50,000 IPs compromised in Kubernetes clusters by TeamTNT

May 26, 2021  By Pierluigi Paganini


Researchers discovered about 50,000 IPs across multiple Kubernetes clusters that were compromised by the TeamTNT.threat actors.

Researchers from Trend Micro reported that about 50,000 IPs were compromised across multiple Kubernetes clusters in a cryptojacking campaign conducted by TeamTNT group.

Kubernetes is an open-source container-orchestration system for automating computer application deployment, scaling, and management. It aims to provide a “platform for automating deployment, scaling, and operations of application containers across clusters of hosts”

“We have found and confirmed close to 50,000 IPs compromised by this attack perpetrated by TeamTNT across multiple clusters. Several IPs were repeatedly exploited during the timeframe of the episode, occurring between March and May.” reads the analysis published by Trend Micro. “Most of the compromised nodes were from China and the US identified in the ISP (Internet Service Provider) list, which had Chinese and US-based providers as the highest hits, including some CSPs (Cloud Service Providers).” 

The TeamTNT botnet is a crypto-mining malware operation that has been active since April 2020 and that targets Docker installs. The activity of the TeamTNT group has been detailed by security firm Trend Micro, but in August experts from Cado Security discovered that that botnet is also able to target misconfigured Kubernetes installations.

Upon infecting Docker and Kubernetes systems running on top of AWS servers, the bot scans for ~/.aws/credentials and ~/.aws/config that are the paths were the AWS CLI stores credentials and configuration details in an unencrypted file.

The malware deploys the XMRig mining tool to mine Monero cryptocurrency.

In January 2021, the cybercrime gang launched a new campaign targeting Kubernetes environments with the Hildegard malware.

Now the group is still scanning for and compromising Kubernetes clusters online, many IPs were repeatedly exploited between March and May.

Trend Micro researchers analyzed one of the scripts employed in the attacks against the Kubernetes clusters they collected from a server (kube[.]lateral[.]sh) used by the TeamTNT group.

The script had a low detection rate in VirusTotal, that attack chain begins with the attempt to disable the bash history on the target host and define environment variables for its command-and-control server, including the script to install the crypto miner later and the binary of the XMRig Monero miner.

The TeamTNT group also uses the script to install two free, open-source tools, the network scanning tool masscan and the deprecated banner-grabbing Zgrab

The group also installs an Internet Relay Chat bot written in C that is stored on the /tmp folder under the name kube.c, in the attempt to avoid suspicion.

“In the last part of the script, we can see a function — kube_pwn() — being declared, just like in the image shown below. As seen from the code, the kube_pwn function uses Masscan to check any hosts with port 10250 open.” reads the analysis published by Trend Micro.

The threat actors use the Masscan scanner to scan the internal network of the targeted Kubernetes cluster for unsecured or misconfigured Kubelet agents. The kubelet API port (10250) should not be exposed online but TeamTNT is compromising the kubelet after gaining access to the environment.

“As we can see from the kubelet server.go code above, the API endpoint /runningpods does exactly what the endpoint says, it lists the running pods. First, the kube_pwn() function lists all the current running pods inside the node in a JSON format.” reads the analysis published by the experts. “Then, for each container running on each node, it takes advantage of the /run endpoint on the kubelet API to run the following commands:

  • 1. Updates the package index of the container.
  • 2. Installs the following packages: bash, wget and curl.
  • 3. Downloads a shell script called setup_xmr.sh from the TeamTNT C&C server and saves it on the tmp folder.
  • 4. Executes the script to start mining for the Monero cryptocurrency.

The report also includes instructions to secure the Kube API Server.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PLA Unit 61419)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

French police seized dark web marketplace Le Monde Parallèle

 Last week, French authorities have seized the dark web marketplace Le Monde Parallèle, it is another success of national...