Tuesday, November 5, 2024
HomeCyber AttackOver 50,000 IPs Across Multiple Kubernetes Clusters Were Compromised by The TeamTNT...

Over 50,000 IPs Across Multiple Kubernetes Clusters Were Compromised by The TeamTNT Threat Actors

Published on

Malware protection

The cybersecurity researchers of Trend Micro have recently detected a new threat attack in which the Cryptojacking attack group named TeamTNT has compromised over 50,000 IPs across various Kubernetes Clusters.

Kubernetes is one of the most famous approved open-sour container-orchestration platforms that is specifically used for automating the deployment, management of containerized applications, and scaling.

Kubernetes is always been one of the attractive targets for the threat actors because they are always misconfigured, particularly all those applications that are running primarily in cloud environments along with the access to infinite resources. 

- Advertisement - SIEM as a Service

How a Kubernetes Cluster is Compromised?

After a long investigation, the researchers at Trend Micro security have luckily collected a file from the servers of the threat actors. The file named kube.lateral.sh, as per the experts this file has a very low detection rate in VirusTotal.

For setting the environment, the hackers initially disable the bash history of the host they have targeted. However, the scripts were mainly used to install the crypto miner later as well as the binary of the XMRig Monero miner.

The tools were the network scanning tool masscan which is being developed in C, and another one is the banner-grabbing, deprecated Zgra that is developed in Go.

Moreover, these scripts have a large base64 encoded code block, that helps the hackers to install the IRC bot, and it is written in C, which is specifically based on a famous IRC bot named Kaiten.

After all this, the experts noticed the function kube_pwn() on the last part of the script. This function uses Masscan to see whether any hosts are open with port 10250 or not.

Kubelets

However, Kubelets is not appraised as one of the best methods that should run in application pods on the control plane and nodes of a cluster. Kubelet is one of the agents that specifically runs on every node to ensure that each container is being organized in a Pod.

The Kubelet security setting has three critical factors and here they are mentioned below:-

  • Enabling Kubelet authentication.
  • To stop the threat actors from reading all the Kubelet data and to perform malicious actions the experts have restricted the kubelet permissions.
  • The short-term certs have all potential impact and were reduced after rotating the Kubelet certificates, as the experts thought that a chance of compromise might occur.

Crypto-jacking

As we said above regarding the kube_pwn() function, it lists all the current pods that are being run inside the node in a JSON format. However, to run some commands the pods take advantage of the /run endpoint that is present on the kubelet API.

And that’s why here we have mentioned the commands below:-

  • At first updates the package index that is present in the container.
  • After that installs the mentioned packages: bash, get, and curl.
  • Once done with the installation process, now, downloads a shell script that is named setup_xmr.sh from the C&C server of TeamTNT, and after that saves it on the tmp folder.
  • Now to start mining the Monero cryptocurrency, it will execute the script.

Recommendations

For the threat actors Exploit Public-Facing Applications (T1190) is one of the entry points, since, through the RBAC misconfiguration or a cluster’s vulnerable version it allows the attackers to take over a cluster of any organization.

However, one can easily check from an external IP by hitting on the API server, as doing so will show you if the API is exposed or not.

Moreover, the targets are increasing, as this is not the first case of Cryptohijacking, and that’s why the experts are trying their best to monitor the attacks properly.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Russia, Iran, And China Influence U.S. Elections, Microsoft Warns

The researchers have observed consistent efforts by Russia, Iran, and China to exert foreign...