VTA-00447 – TeamTNT Cloud Credentials Stealing Campaigns Targeting AWS, Azure, and GCP
Starting in June 2023, an actor initiated a cloud credentials stealing campaign primarily targeting Amazon Web Services (AWS) credentials from public-facing Jupyter Notebooks services. Collaborating with the Permiso Security threat research team, SentinelLabs tracked and analyzed the campaign’s files. The actor made updates to their tooling, no longer hosting files in an open directory, complicating tracking efforts. The campaigns were characterized by the use of shell scripts and an ELF binary written in Golang. Over time, the actor expanded their focus, targeting credentials from Azure and Google Cloud Platform (GCP) as well. This evolution showcased the actor’s expertise across multiple technologies.
SentinelLabs observed the actor’s meticulous approach, evident in choices like serving the curl binary to systems lacking it, and the improved data formatting for autonomous activity. This indicated a level of maturity and skill in their operations. Notably, the campaign’s targeted files overlapped with those of the TeamTNT Kubelet-targeting campaign reported earlier, making attribution challenging with script-based tools.
The actor’s continuous updates and expansion of targets suggest an ongoing threat. Organizations are urged to secure their Jupyter Notebooks services and take steps to ensure proper application configuration and timely security patching. Additionally, restricting Docker access can minimize exposure to external connections, enhancing overall defense against these cloud credential-stealing campaigns.
Severity:
Medium
Attack Surfaces:
Cloud Service, Cloud Storage
Tactics:
Defense Evasion, Discovery, Execution, Persistence
Techniques:
T1007 – System Service Discovery,
T1140 – Deobfuscate/Decode Files or Information,
T1059 – Command and Scripting Interpreter,
T1525 – Implant Internal Image
Technical Impact Analysis:
Loss of Accountability, Loss of Confidentiality
Business Impact Analysis:
Financial Damage, Non-Compliance, Reputation Damage
SuperPRO’s Threat Countermeasures Procedures:
1. Regularly update and patch software and applications, including web applications and cloud services, to mitigate known vulnerabilities.
2. Implement secure configurations for systems, following best practices and vendor guidelines for hardening configurations.
3. Conduct periodic security assessments, penetration testing, and vulnerability assessments to identify and remediate weaknesses in web applications, cloud platforms, and infrastructure.
4. Enforce strong access controls, including the principle of least privilege, and utilize multi-factor authentication (MFA) for user accounts. Manage and rotate access keys and credentials properly.
5. Implement network segmentation to isolate critical systems and limit lateral movement in case of a compromise.
6. Conduct employee training and awareness programs to educate about cybersecurity risks and best practices.
7. Monitor and analyze network traffic to detect suspicious activity early on.
8. Develop and implement a comprehensive incident response plan for handling security breaches effectively.
9. Leverage cloud-native security tools and features provided by the cloud service provider.
Contributed by: Wan