AWS Cloud Credential Stealing Campaign Spreads to Azure, Google Cloud

A sophisticated cloud-credential stealing and cryptomining campaign targeting Amazon Web Services (AWS) environments for the past several months has now expanded to Azure and Google Cloud Platform (GCP) as well. And, the tools used in the campaign share considerable overlap with those associated with TeamTNT, a notorious, financially motivated threat actor, researchers have determined.

The broader targeting appears to have begun in June, according to researchers at SentinelOne and Permiso, and is consistent with a continuous series of incremental refinements that the threat actor behind the campaign has been making to it since the series of attacks began in December.

In separate reports highlighting their key takeaways, the firms noted that the attacks targeting Azure and Google's cloud services involve the same core attack scripts that the threat group behind it has been using in the AWS campaign. However, the Azure and GCP capabilities are very nascent and less developed than the AWS tooling, says Alex Delamotte, threat researcher at SentinelOne. 

"The actor only implemented the Azure credential collection module in the more recent — June 24 and newer — attacks," she says. "The development has been consistent, and we will likely see more tools emerge over the coming weeks with bespoke automations for these environments, should the attacker find them a valuable investment."

Cybercriminals Going After Exposed Docker Instances

The TeamTNT threat group is well known for targeting exposed cloud services and thrives on exploiting cloud misconfigurations and vulnerabilities. While TeamTNT initially focused on cryptomining campaigns, it has more recently expanded into data theft and backdoor deployment activities as well, which the latest activity reflects. 

In that vein, according to SentinelOne and Permiso, the attacker has begun targeting exposed Docker services as of last month, using newly modified shell scripts that are engineered to determine the environment they are in, profile the systems, search for credential files, and exfiltrate them. The scripts also contain a function for collecting environment variable details, likely used to determine if there are any other valuable services on the system to target later, SentineOne researchers said.

The attacker's toolset enumerates service environment information regardless of the underlying cloud service provider, Delamotte says. "The only automation we saw for Azure or GCP was related to credential harvesting. Any follow-on activity is likely hands-on-keyboard."

The findings add to the research from Aqua Security that recently showed malicious activity targeting public-facing Docker and JupyterLab APIs. Aqua researchers attributed the activity — with a high level of confidence — to TeamTNT. 

Deploying Cloud Worms

They assessed the threat actor was prepping an "aggressive cloud worm" designed to deploy in AWS environments, with a goal of facilitating cloud credentials theft, resource hijacking, and the deployment of a backdoor called "Tsunami."

Similarly, SentinelOne and Permiso's joint analysis of the evolving threat showed that in addition to the shell scripts from earlier attacks, TeamTNT is now delivering a UPX-packed, Golang-based ELF binary. The binary basically drops and executes another shell script for scanning an attacker-specified range and propagating to other vulnerable targets.

This worming propagation mechanism looks for systems responding with a specific Docker version user-agent, Delamotte says. These Docker instances could be hosted through Azure or GCP. "Other reports note that these actors exploit public-facing Jupyter services, where the same concepts apply," Delamotte says, adding that she believes that TeamTNT is currently merely testing its tools in Azure and GCP environment rather than looking to achieve specific objectives on impacted systems.

Also on the lateral movement front, Sysdig last week updated a report it first published in December, with new details of the ScarletEel cloud credential stealing and cryptomining campaign targeting AWS and Kubernetes services, which SentinelOne and Permiso have linked to the TeamTNT activity. Sysdig determined that one of the primary goals of the campaign is to steal AWS credentials and use them to further exploit the victim's environment by installing malware, stealing resources, and carrying out other malicious activities. 

Attacks like the one against AWS environments that Sysdig reported involve the use of known AWS exploitation frameworks, including one called Pacu, Delamotte notes. Orgs using Azure and GCP should assume that attacks against their environments will involve similar frameworks. She advocates that administrators speak with their red teams to understand what attack frameworks work well against these platforms. 

"Pacu is a known red team favorite for attacking AWS," she says. "We can expect these actors will adopt other successful exploitation frameworks."