TeamTNT: Explosive Cryptomining

Presented at Black Hat Europe 2021, Nov. 10, 2021, 11:20 a.m. (40 minutes).

Since the introduction of Amazon Web Services (AWS) there has been a steady migration from on-premise to cloud deployments. Misconfigured cloud services can be low-hanging fruit for an attacker. Palo Alto Networks found that Docker services were attacked about every 90 minutes during the Spring of 2021. Of these attacks, around 76% were by cryptojacking threat actors, one of the most active in this field being TeamTNT.

TeamTNT is one of the predominant cryptojacking threat actors currently targeting Linux servers. This session will present the threat actor's activity and their Tactics, Techniques and Procedures (TTPs) throughout their different campaigns. The first public report on TeamTNT was published in May 2020 by Trend Micro and covered attacks against servers running exposed Docker instances. While this is early activity, it is not the earliest that can be attributed to the threat actor. Based on our findings, we can conclude that they have been active since the Fall of 2019, which was six months before the initial report on the threat actor's activity. While TeamTNT is mainly known for compromising Kubernetes clusters and servers running Docker, this session will also highlight campaigns against servers running Redis and Windows.

The threat actor maintains a public persona on Twitter. In addition to some of the technical details, this session will present the threat actor's social media activity and how they are uniquely interacting with the security research community.

The session and the accompanying whitepaper will provide defenders with all information needed to better protect and detect attacks by this threat actor. The whole toolset will be presented, including: scripts, DDoS malware, backdoors, and rootkits.

Presenters:

• Joakim Kennedy - Security Researcher, Intezer
  Dr. Joakim Kennedy is a Security Researcher for Intezer. On a daily basis he analyzes malware, tracks threat actors, and solves security problems. His work is mainly focused on threats that target Linux systems and Cloud environments. Dr. Kennedy began in the industry as a security researcher at Rapid7 where he got his start in vulnerability research. Following his time with Rapid7, he joined Anomali. While there, he managed Anomali's Threat Research Team, where they focused on creating threat intelligence. Dr. Kennedy has been a featured speaker at multiple BSides and at the CCB's Quarterly Cyber Threat Report Event. He has also presented at various other industry events. For the last few years, Dr. Kennedy has been researching malware written in Go. To make the analysis easier he has written the Go Reverse Engineering Toolkit (github.com/goretk), an open-source toolkit for analysis of Go binaries.
• Nicole Fishbein - Security Researcher, Intezer
  Nicole Fishbein has spent the last six years entrenched in the security world as part of the IDF and currently discovering new malware as a part of the Intezer research team. Nicole has been part of research that led to discovering previously undetected malware such as Doki and ties between Rocke Group and the evolution of tools and techniques to target Linux-based cloud environments.

Links:

• https://www.blackhat.com/eu-21/briefings/schedule/#teamtnt-explosive-cryptomining-24809

Similar Presentations:

• VB2017 / Walking in your enemy's shadow: when fourth-party collection becomes attribution hell
• VB2019 / Abusing third-party cloud services in targeted attacks
• CircleCityCon 10.0 (2023) Virtual / Old Services, New Tricks: Cloud Metadata Abuse by Threat Actors