Categories: Cyber Attack

Over 50,000 IPs Across Multiple Kubernetes Clusters Were Compromised by The TeamTNT Threat Actors

The cybersecurity researchers of Trend Micro have recently detected a new threat attack in which the Cryptojacking attack group named TeamTNT has compromised over 50,000 IPs across various Kubernetes Clusters.

Kubernetes is one of the most famous approved open-sour container-orchestration platforms that is specifically used for automating the deployment, management of containerized applications, and scaling.

Kubernetes is always been one of the attractive targets for the threat actors because they are always misconfigured, particularly all those applications that are running primarily in cloud environments along with the access to infinite resources. 

How a Kubernetes Cluster is Compromised?

After a long investigation, the researchers at Trend Micro security have luckily collected a file from the servers of the threat actors. The file named kube.lateral.sh, as per the experts this file has a very low detection rate in VirusTotal.

For setting the environment, the hackers initially disable the bash history of the host they have targeted. However, the scripts were mainly used to install the crypto miner later as well as the binary of the XMRig Monero miner.

The tools were the network scanning tool masscan which is being developed in C, and another one is the banner-grabbing, deprecated Zgra that is developed in Go.

Moreover, these scripts have a large base64 encoded code block, that helps the hackers to install the IRC bot, and it is written in C, which is specifically based on a famous IRC bot named Kaiten.

After all this, the experts noticed the function kube_pwn() on the last part of the script. This function uses Masscan to see whether any hosts are open with port 10250 or not.

Kubelets

However, Kubelets is not appraised as one of the best methods that should run in application pods on the control plane and nodes of a cluster. Kubelet is one of the agents that specifically runs on every node to ensure that each container is being organized in a Pod.

The Kubelet security setting has three critical factors and here they are mentioned below:-

  • Enabling Kubelet authentication.
  • To stop the threat actors from reading all the Kubelet data and to perform malicious actions the experts have restricted the kubelet permissions.
  • The short-term certs have all potential impact and were reduced after rotating the Kubelet certificates, as the experts thought that a chance of compromise might occur.

Crypto-jacking

As we said above regarding the kube_pwn() function, it lists all the current pods that are being run inside the node in a JSON format. However, to run some commands the pods take advantage of the /run endpoint that is present on the kubelet API.

And that’s why here we have mentioned the commands below:-

  • At first updates the package index that is present in the container.
  • After that installs the mentioned packages: bash, get, and curl.
  • Once done with the installation process, now, downloads a shell script that is named setup_xmr.sh from the C&C server of TeamTNT, and after that saves it on the tmp folder.
  • Now to start mining the Monero cryptocurrency, it will execute the script.

Recommendations

For the threat actors Exploit Public-Facing Applications (T1190) is one of the entry points, since, through the RBAC misconfiguration or a cluster’s vulnerable version it allows the attackers to take over a cluster of any organization.

However, one can easily check from an external IP by hitting on the API server, as doing so will show you if the API is exposed or not.

Moreover, the targets are increasing, as this is not the first case of Cryptohijacking, and that’s why the experts are trying their best to monitor the attacks properly.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

20 hours ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

21 hours ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

21 hours ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

22 hours ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

22 hours ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

22 hours ago