![]() ![]() You’re no doubt most familiar with n-tier applications, building on decades of programming skills and techniques, linking UI to code and to data. We treat this as an early warning, and hopefully a prevention to the campaign."Īqua and SentinelLabs recommended enterprises protect themselves against such attacks by taking such steps as not deploying Jupyter software without authentication, properly configuring and patching web applications to minimize exploitation, restricting external access to Docker, and using the least-privilege principle by limiting the permissions of containers.Modern business applications bring together many strands of development. "Looks like TeamTNT or a TeamTNT copycat is preparing a campaign. "Given that some functions in the code remain unused and the linked attack patterns suggest manual testing, we theorize that the attacker is in the process of optimizing their algorithm," they wrote at the start of July. Like SentinelLabs, the Aqua researchers said it appeared that what they were looking at was a trial run for a bigger operation. They described the Silentbob campaign as an "aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials hijack, resource hijack and further infestation of the worm." Their investigation kicked off after an attack was detected against a Jupyter honeypot run by Aqua, and led to an examination of a container image and Docker Hub account, they wrote. The work SentinelLabs and Permiso echoes what Aqua uncovered earlier this month in connection with a "potentially massive campaign against cloud native environments" that researchers Ofek Itach and Assaf Morag laid at the feet of TeamTNT or a group using the same techniques. The actor has also improved the tool's data formatting to enable more autonomous activity, which demonstrates a certain level of maturity and skill." "The meticulous attention to detail indicates the actor has clearly experienced plenty of trial and error. The latest campaign "demonstrates the evolution of a seasoned cloud actor with familiarity across many technologies," Delamotte wrote. The miscreants hide this system scanner as an embedded base64 object within the binary to make it more difficult to detect. The researchers also found an ELF binary built from Golang source code this executable is used to spread the malware to other vulnerable targets, seemingly in a worm-like fashion. This infrastructure, which previously used a Netherlands-based IP address, now runs across several subdomains. Now the C2's directory requires a hardcoded username and password to access, making it tougher to inspect and stop. In addition, the group previously hosted its command-and-control (C2) activities and files in an openly accessible directory on a single domain. Microsoft stole our stolen dark web data, says security outfit.Microsoft defends intrusive dialog in Visual Studio Code that asks if you really trust the code you've been working on.FBI: BlackCat ransomware scratched 60-plus orgs.AT&T Alien Labs warns of 'zero or low detection' for TeamTNT's latest malware bundle.Those updates have brought in support for obtaining Azure and Google Cloud credentials, made the scripts more modular to achieve more complex attacks, improved the credential harvesting, and brought in the curl command-line tool to exfiltrate data. The miscreants appear to have started targeting vulnerable Docker deployments, too, and updated their intrusion tools. Permiso in December 2022 documented how TeamTNT was scouring Jupyter Notebook services primarily for AWS credentials. However Trend Micro said the crew, known for targeting cloud and container environments, was back in business as of late last year. ![]() The group has been around since 2019, though two years ago it announced it was quitting. Cloud credentials are a popular targetĪccording a write-up last year from Elastic Security Labs, 33 percent of cyberattacks in the cloud use stolen credentials, something TeamTNT is known for. It is not entirely clear exactly how the miscreants break into people's cloud resources: check the linked advisories for technical details and indicators of compromise, and use the given info to detect and stop any identifiable intrusions, we say. Permiso researcher Abian Morina reckoned on Wednesday a multi-cloud campaign may already be underway as of this week. ![]() Based on the tweaks observed across the past several weeks, the actor is likely preparing for larger scale campaigns." "We believe this actor is actively tuning and improving their tools. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |