Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Newest TeamTNT IRC Bot Steals AWS and Docker Credentials

Newest TeamTNT IRC Bot Steals AWS and Docker Credentials

This item in japanese

Over the past several months, cybercrime group TeamTNT’s internet relay chat (IRC) bot has had its functionality expanded from resource theft for crypto-mining to include the theft of Docker API, Amazon Web Service, and secure shell (SSH) credentials.

Researchers at Cado Security have outlined multiple recent changes in its post-invasion behaviour. The botnet script can now steal credentials from AWS IAM roles, from both files and the AWS metadata URL, which exposes privileged information.

In December, the team at TrendMicro analysed the payload of an ongoing TeamTNT attack and shared that its updated code contained an IRC bot which its authors named ‘TNTbotinger’. Further analysis by the Lacework team indicated that TNTbotinger was malware known as ‘Ziggy StarTux’, which is a variant of Kaiten. The script was first reported in August by Malwarehunterteam (original Tweets since deleted), and appears to have been active since April 2020, compromising a number of Docker and Kubernetes systems.

The malicious scripts have since been equipped with additional functions to ensure the environment has sufficient resources for the mining operation, to hide their operation, and to leave a backdoor for future remote connections.

Alongside these technical updates, TeamTNT have updated their trademark logo embedded in the script, calling the new variant ‘Borg’, and have publically downplayed its use as a botnet:

Borg is not a botnet, it was just a test of a spreading script. 4000 bots in under 30 minutes, not a bad cut. The irc server went on vacation just over the 4000. XD. The spreading script uses kubernetes server, it is comparable to a docker gatling gun.

(Translated from TeamTNT’s original tweet in German)

The malicious shell script that initiates the attack is self-propagating. Previously the main payload of the attack was the XMRig tool, used for crypto-currency mining. This has been elaborated to include credentials theft; the IRC bot is also capable of distributed denial of service (DDoS) attack.

TeamTNT logo embedded in the latest malicious script (credit Cado)

Once the attack has access, it can identify vulnerable instances on other segments on the accessible private network, and can perform remote code execution (RCE), which may include infrastructure considered shielded from the public network.

The spreading script works by looking for further accessible networks based on the output of the _ip route_ command. The _pnscan_ tool finds active SSH services on the network before attempting authentication using any keys already found on the network. It will then deploy the same payload on the new devices and the attack spreads.

The cloud and container attack now deploys multiple open-source tools: Tmate, an application for sharing terminals which allows the attackers to maintain access; Break Out the Box (BOtB), a penetration testing tool; Peirates, a penetration testing tool for Kubernetes. Based on the parameters used to call BOtB, the Cado team assesses that the script is also targeting Google Cloud Platform systems.

The BOtB tool brings several enhancements to the attack’s capabilities. It can find and identify Kubernetes account secrets, Docker daemons, sensitive metadata from AWS/ GCP endpoints, open UNIX sockets, data from Linux Kernel Keyrings, and sensitive strings in the environment. It enables hijacking of host binaries with custom payloads, can perform actions in CI|CD mode, and enables container breakout via exposed Docker daemons.

Organisations can defend against this by using well known techniques: white-listing packages/images and hardcoding versions; continuous monitoring and auditing of devices; granting the least viable privilege permissions; adhering to the shared responsibility model; continuously patching and updating systems to ensure that system defences are updated, and ensuring the organisation’s password management practices are robust.

TeamTNT continues to experiment with a number of different attack vectors. In September they took advantage of unauthenticated API access via a visualisation and monitoring tool called Weave Scope from Weaveworks, which did not perform API authentication by default.

The TrendMicro team has also found corresponding code to the TNTbotinger and Borg attacks embedded in Docker Hub images, which they’ve linked to TeamTNT. InfoQ has reviewed the evolving sophistication of malicious images hosted on Docker Hub, an alternative attack vector in use by the same group.

Rate this Article