Over 50,000 IPs Across Multiple Kubernetes Clusters Were Compromised by The TeamTNT Threat Actors

The cybersecurity researchers of Trend Micro have recently detected a new threat attack in which the Cryptojacking attack group named TeamTNT has compromised over 50,000 IPs across various Kubernetes Clusters.

Kubernetes is one of the most famous approved open-sour container-orchestration platforms that is specifically used for automating the deployment, management of containerized applications, and scaling.

Kubernetes is always been one of the attractive targets for the threat actors because they are always misconfigured, particularly all those applications that are running primarily in cloud environments along with the access to infinite resources. 

How a Kubernetes Cluster is Compromised?

After a long investigation, the researchers at Trend Micro security have luckily collected a file from the servers of the threat actors. The file named kube.lateral.sh, as per the experts this file has a very low detection rate in VirusTotal.


For setting the environment, the hackers initially disable the bash history of the host they have targeted. However, the scripts were mainly used to install the crypto miner later as well as the binary of the XMRig Monero miner.

The tools were the network scanning tool masscan which is being developed in C, and another one is the banner-grabbing, deprecated Zgra that is developed in Go.

Moreover, these scripts have a large base64 encoded code block, that helps the hackers to install the IRC bot, and it is written in C, which is specifically based on a famous IRC bot named Kaiten.

After all this, the experts noticed the function kube_pwn() on the last part of the script. This function uses Masscan to see whether any hosts are open with port 10250 or not.


However, Kubelets is not appraised as one of the best methods that should run in application pods on the control plane and nodes of a cluster. Kubelet is one of the agents that specifically runs on every node to ensure that each container is being organized in a Pod.

The Kubelet security setting has three critical factors and here they are mentioned below:-

  • Enabling Kubelet authentication.
  • To stop the threat actors from reading all the Kubelet data and to perform malicious actions the experts have restricted the kubelet permissions.
  • The short-term certs have all potential impact and were reduced after rotating the Kubelet certificates, as the experts thought that a chance of compromise might occur.


As we said above regarding the kube_pwn() function, it lists all the current pods that are being run inside the node in a JSON format. However, to run some commands the pods take advantage of the /run endpoint that is present on the kubelet API.

And that’s why here we have mentioned the commands below:-

  • At first updates the package index that is present in the container.
  • After that installs the mentioned packages: bash, get, and curl.
  • Once done with the installation process, now, downloads a shell script that is named setup_xmr.sh from the C&C server of TeamTNT, and after that saves it on the tmp folder.
  • Now to start mining the Monero cryptocurrency, it will execute the script.


For the threat actors Exploit Public-Facing Applications (T1190) is one of the entry points, since, through the RBAC misconfiguration or a cluster’s vulnerable version it allows the attackers to take over a cluster of any organization.

However, one can easily check from an external IP by hitting on the API server, as doing so will show you if the API is exposed or not.

Moreover, the targets are increasing, as this is not the first case of Cryptohijacking, and that’s why the experts are trying their best to monitor the attacks properly.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Please enter your comment!
Please enter your name here