Keeping secrets safe is key to keeping systems secure and preventing supply-chain attacks. Malicious actors often go after secrets in storage mechanisms and harvest credentials found in compromised systems. And credentials stored in plain text that are accessible even without user interaction are not uncommon for DevOps software and are therefore a big security risk.
Malicious actors have been known to harvest cloud service provider (CSP) credentials once they get into their victims’ systems. The cybercriminal group TeamTNT, for example, is no stranger to targeting cloud containers, expanding their arsenal to steal cloud credentials, and exploring other environments and intrusive activities. In the group’s latest attack routine, we found new evidence that TeamTNT has further extended its credential harvesting capabilities to target multiple cloud and non-cloud services in victims’ internal networks and systems post-compromise.
Technical analysis
TeamTNT’s malware is designed to harvest credentials from specific software and services. It infects Linux machines with openings such as exposed private keys and recycled passwords, and focuses on checking the infected systems for cloud-related files.
As in the group’s other attacks, cloud misconfigurations and reused passwords provide easy entry to a victim system. And as before, the group harvests credentials for Secure Shell (SSH) and Server Message Block (SMB) to obtain access to other systems. Both intrusion techniques can spread their respective payloads in a wormlike manner. We found several scripts for this function (to ensure the spread of payloads in different environments), one of which we had previously documented.
With a.netrc file to automatically log in using the harvested credentials, the malware looks for app configurations and data based on a search list while going through the connected systems, and sends them to the command-and-control (C&C) server.
As TeamTNT’s payloads focus on unauthorised mining of Monero, it’s no surprise that the malware also looks for Monero configuration files in the infected system. The malware looks for the presence of Monero wallets in all the systems the group can access.
At the end of its routine, the malware tries to delete traces of itself from the infected system. However, our analysis strongly indicates that this is not done effectively. While “history -c” clears the Bash history, some commands continue with their activities and leave traces on other parts of the system.
Conclusion
Malicious actors actively look for legitimate users’ credentials in internal networks and systems to facilitate their post-intrusion activities. If in possession of CSP credentials, they could use the cloud services paid by legitimate entities for other malicious activities. Stolen credentials for version control software such as Git also pose significant security risks, including supply chain compromise, since it is highly likely that a malicious user will also have write capability into repositories, and can therefore perform source code modifications that will go unnoticed.
In addition, credentials stored in plain text serve as a gold mine for cybercriminals, especially when used in subsequent attacks. Harvested FTP credentials, for example, could lead to old-school website hacking or credential modifications, followed by ransom demands in exchange for access or data restoration. The same goes for vulnerabilities, especially those in unpatched and otherwise unsecured internet-facing systems.
To mitigate the risks of this TeamTNT routine and other similar threats, customers are advised to use the secret vaults offered by their CSPs and to follow these best practices:
- Enforce the principle of least privilege and adopt the shared responsibility model.
- Replace default credentials with strong and secure passwords, and ensure that security settings of different systems’ environments are customised to the organisation’s needs.
- Avoid storing credentials in plain text, and enable multifactor authentication whenever available.
- Update and patch systems regularly. Consider the security, customisation of credentials, and patching of front-facing systems to ensure no gaps can be abused for malicious activities.
Trend Micro solutions
Cloud-specific security solutions such as Trend Micro Hybrid Cloud Security can help protect cloud-native systems and their various layers. Trend Micro Hybrid Cloud Security is powered by Trend Micro Cloud One™, a security services platform for cloud builders that provides automated protection for continuous-integration and continuous-delivery (CI/CD) pipelines and applications. It also helps identify and resolve security issues sooner and improve delivery time for DevOps teams. The Trend Micro Cloud One platform includes:
- Workload Security: runtime protection for workloads
- Container Security: automated container image and registry scanning
- File Storage Security: security for cloud files and object storage services
- Network Security: cloud network layer for intrusion prevention system (IPS) security
- Application Security: security for serverless functions, APIs, and applications
- Conformity: real-time security for cloud infrastructure — secure, optimise, comply
Indicator of compromise
SHA256 |
Detection |
ed40bce040778e2227c869dac59f54c320944e19f77543954f40019e2f2b0c35 |
Trojan.SH.YELLOWDYE.A |