TeamTNT Hijacking Servers: Criminal Gang Specializing in Attacking Cloud Environments is Back

Honeypot activity spotted by one of the cybersecurity vendors confirmed that the cryptojacking TeamTNT gang is back on the prowl. The threat actor was first detected in early 2020, targeting cloud environments. However, in late 2021 TeamTNT adversaries tweeted a farewell message, which seemed to be true since the past year’s attacks that were traced back to the gang were automatically generated.

The most recent attacks show TTPs that can be linked to TeamTNT, suggesting that the threat actor is probably back in the threat landscape.

Detect TeamTNT Activity

Utilize a new Sigma-based release by Zaw Min Htun (ZETA) to detect a botnet deployed by TeamTNT threat actors:

Possible Detection of TeamTNT’s Cronb Attack (via file event)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, SentinelOne, Graylog, Regex Grep, CrowdStrike, Microsoft PowerShell, RSA NetWitness, Chronicle Security, Microsoft Defender ATP, Snowflake, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch.

The rule is aligned with MITRE ATT&CK® framework v.10, addressing the Resource Development tactic with Compromise Infrastructure (T1584) as the primary technique.

With threat actors continuously improving their tricks, we offer field-proven solutions to monitor for potential risks for free. Threat hunters, detection engineers, and other InfoSec practitioners striving to improve the organization’s cybersecurity posture can join SOC Prime’s platform and reach a comprehensive detection stack for swift detection of TeamTNT attacks. Click the Explore Detections button to get access to the dedicated rule kit.

Explore Detections  

TeamTNT Attacks’ Analysis

Security researchers from Aqua Security are behind the honeypots that lured the adversaries in question. The researchers have documented the intrusion attempts attributing them to the TeamTNT group in September 2022, signifying TeamTNT activity renewal. This is the first operation in almost a year since the crypto-mining gang shut shop in the late fall of 2021.

Aqua Security has detected three types of the recent attacks. The one tagged  “the Kangaroo attack” is the gang’s “simplest and most dramatic”. Adversaries hit vulnerable Docker Daemons, drop AlpineOS image, download a shell script, and get the Bitcoin solver. Two other types of attack dubbed the “Cronb” and “What Will Be” were launched to deploy coin miners and Tsunami binaries.

The year 2022 became a challenging time for security professionals, with many threat actors resurfacing with new and improved features yet relying on time-tested approaches. Enhance your cybersecurity readiness by embracing the power of collaborative defense by joining our global cybersecurity community at SOC Prime’s Detection as Code platform. Avail of accurate and timely detections made by seasoned professionals from around the world to boost your SOC team’s operations and security posture.