Nearly 50,000 IPs compromised in Kubernetes clusters by TeamTNT

Pierluigi Paganini May 26, 2021

Researchers discovered about 50,000 IPs across multiple Kubernetes clusters that were compromised by the TeamTNT.threat actors.

Researchers from Trend Micro reported that about 50,000 IPs were compromised across multiple Kubernetes clusters in a cryptojacking campaign conducted by TeamTNT group.

Kubernetes is an open-source container-orchestration system for automating computer application deployment, scaling, and management. It aims to provide a “platform for automating deployment, scaling, and operations of application containers across clusters of hosts”

“We have found and confirmed close to 50,000 IPs compromised by this attack perpetrated by TeamTNT across multiple clusters. Several IPs were repeatedly exploited during the timeframe of the episode, occurring between March and May.” reads the analysis published by Trend Micro. “Most of the compromised nodes were from China and the US identified in the ISP (Internet Service Provider) list, which had Chinese and US-based providers as the highest hits, including some CSPs (Cloud Service Providers).” 

The TeamTNT botnet is a crypto-mining malware operation that has been active since April 2020 and that targets Docker installs. The activity of the TeamTNT group has been detailed by security firm Trend Micro, but in August experts from Cado Security discovered that that botnet is also able to target misconfigured Kubernetes installations.

Upon infecting Docker and Kubernetes systems running on top of AWS servers, the bot scans for ~/.aws/credentials and ~/.aws/config that are the paths were the AWS CLI stores credentials and configuration details in an unencrypted file.

The malware deploys the XMRig mining tool to mine Monero cryptocurrency.

In January 2021, the cybercrime gang launched a new campaign targeting Kubernetes environments with the Hildegard malware.

Now the group is still scanning for and compromising Kubernetes clusters online, many IPs were repeatedly exploited between March and May.

Trend Micro researchers analyzed one of the scripts employed in the attacks against the Kubernetes clusters they collected from a server (kube[.]lateral[.]sh) used by the TeamTNT group.

The script had a low detection rate in VirusTotal, that attack chain begins with the attempt to disable the bash history on the target host and define environment variables for its command-and-control server, including the script to install the crypto miner later and the binary of the XMRig Monero miner.

The TeamTNT group also uses the script to install two free, open-source tools, the network scanning tool masscan and the deprecated banner-grabbing Zgrab

The group also installs an Internet Relay Chat bot written in C that is stored on the /tmp folder under the name kube.c, in the attempt to avoid suspicion.

“In the last part of the script, we can see a function — kube_pwn() — being declared, just like in the image shown below. As seen from the code, the kube_pwn function uses Masscan to check any hosts with port 10250 open.” reads the analysis published by Trend Micro.

The threat actors use the Masscan scanner to scan the internal network of the targeted Kubernetes cluster for unsecured or misconfigured Kubelet agents. The kubelet API port (10250) should not be exposed online but TeamTNT is compromising the kubelet after gaining access to the environment.

“As we can see from the kubelet server.go code above, the API endpoint /runningpods does exactly what the endpoint says, it lists the running pods. First, the kube_pwn() function lists all the current running pods inside the node in a JSON format.” reads the analysis published by the experts. “Then, for each container running on each node, it takes advantage of the /run endpoint on the kubelet API to run the following commands:

  • 1. Updates the package index of the container.
  • 2. Installs the following packages: bash, wget and curl.
  • 3. Downloads a shell script called from the TeamTNT C&C server and saves it on the tmp folder.
  • 4. Executes the script to start mining for the Monero cryptocurrency.

The report also includes instructions to secure the Kube API Server.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PLA Unit 61419)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment