Categories: Cyber Attack

Over 50,000 IPs Across Multiple Kubernetes Clusters Were Compromised by The TeamTNT Threat Actors

The cybersecurity researchers of Trend Micro have recently detected a new threat attack in which the Cryptojacking attack group named TeamTNT has compromised over 50,000 IPs across various Kubernetes Clusters.

Kubernetes is one of the most famous approved open-sour container-orchestration platforms that is specifically used for automating the deployment, management of containerized applications, and scaling.

Kubernetes is always been one of the attractive targets for the threat actors because they are always misconfigured, particularly all those applications that are running primarily in cloud environments along with the access to infinite resources. 

How a Kubernetes Cluster is Compromised?

After a long investigation, the researchers at Trend Micro security have luckily collected a file from the servers of the threat actors. The file named kube.lateral.sh, as per the experts this file has a very low detection rate in VirusTotal.

For setting the environment, the hackers initially disable the bash history of the host they have targeted. However, the scripts were mainly used to install the crypto miner later as well as the binary of the XMRig Monero miner.

The tools were the network scanning tool masscan which is being developed in C, and another one is the banner-grabbing, deprecated Zgra that is developed in Go.

Moreover, these scripts have a large base64 encoded code block, that helps the hackers to install the IRC bot, and it is written in C, which is specifically based on a famous IRC bot named Kaiten.

After all this, the experts noticed the function kube_pwn() on the last part of the script. This function uses Masscan to see whether any hosts are open with port 10250 or not.

Kubelets

However, Kubelets is not appraised as one of the best methods that should run in application pods on the control plane and nodes of a cluster. Kubelet is one of the agents that specifically runs on every node to ensure that each container is being organized in a Pod.

The Kubelet security setting has three critical factors and here they are mentioned below:-

  • Enabling Kubelet authentication.
  • To stop the threat actors from reading all the Kubelet data and to perform malicious actions the experts have restricted the kubelet permissions.
  • The short-term certs have all potential impact and were reduced after rotating the Kubelet certificates, as the experts thought that a chance of compromise might occur.

Crypto-jacking

As we said above regarding the kube_pwn() function, it lists all the current pods that are being run inside the node in a JSON format. However, to run some commands the pods take advantage of the /run endpoint that is present on the kubelet API.

And that’s why here we have mentioned the commands below:-

  • At first updates the package index that is present in the container.
  • After that installs the mentioned packages: bash, get, and curl.
  • Once done with the installation process, now, downloads a shell script that is named setup_xmr.sh from the C&C server of TeamTNT, and after that saves it on the tmp folder.
  • Now to start mining the Monero cryptocurrency, it will execute the script.

Recommendations

For the threat actors Exploit Public-Facing Applications (T1190) is one of the entry points, since, through the RBAC misconfiguration or a cluster’s vulnerable version it allows the attackers to take over a cluster of any organization.

However, one can easily check from an external IP by hitting on the API server, as doing so will show you if the API is exposed or not.

Moreover, the targets are increasing, as this is not the first case of Cryptohijacking, and that’s why the experts are trying their best to monitor the attacks properly.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Hack The box “Ghost” Challenge Cracked – A Detailed Technical Exploit

Cybersecurity researcher "0xdf" has cracked the "Ghost" challenge on Hack The Box (HTB), a premier…

11 hours ago

Sec-Gemini v1 – Google’s New AI Model for Cybersecurity Threat Intelligence

Google has unveiled Sec-Gemini v1, an AI model designed to redefine cybersecurity operations by empowering…

11 hours ago

U.S. Secures Extradition of Rydox Cybercrime Marketplace Admins from Kosovo in Major International Operation

The United States has successfully extradited two Kosovo nationals, Ardit Kutleshi, 26, and Jetmir Kutleshi,…

17 hours ago

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

2 days ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

2 days ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

2 days ago