TeamTNT Has Compromised Nearly 50,000 Vulnerable Kubernetes Endpoints

  • TeamTNT has already entered 50,000 misconfigured Kubernetes servers using a worm-like attack.
  • The actors are using open source network scanning tools and exploit open kubelet API ports.
  • Mining Monero on Kubernetes servers is ideal because these endpoints have access to limitless resources.

It looks like TeamTNT’s worming attacks are working exceptionally well against misconfigured and vulnerable Kubernetes endpoints, as according to a recent TrendMicro report, the malicious actors have compromised nearly 50,000 of them. Most of the intrusions target Chinese servers, while the United States, France, Germany, the UK, and Canada are also significantly affected. As the researchers report, some of these servers got repeatedly exploited, indicating the automation that goes in the scanning and worm-like spreading of the malware onto vulnerable endpoints.

Source: TrendMicro

TeamTNT appears to be using an executable named ‘kube.lateral.sh’, which is only detected by a fraction of AV engines in VirusTotal, so the chances to raise any red flags are slim. The hackers also disable the bash history on the target host and set up the C2 server communications to accommodate the Monero miner (XMRig) that’s dropped later.

Source: TrendMicro

The script also installs masscan and Zgrab, two off-the-shelf open-source network reconnaissance tools. Masscan is checking for any hosts with port 10250 open, which is left to open by default as part of the kubelet API.

Source: TrendMicro

The malware then lists all the running pods inside the node and then takes advantage of the /run endpoint to execute the following four commands:

  1. Update the package index of the container
  2. Install bash, wget, and curl
  3. Download a shell script called setup_xmr.sh from the C&C server and save it on the tmp folder
  4. Execute the script that starts the mining of Monero

In order to shut the door to TeamTNT’s attacks, you should close port 10250 on operational K8s clusters and protect Kube API servers from exposure. By running “curl -k https://API-SERVER-IP:PORT/api.”, you can check if any of your APIs are public-facing and remediate the issue. Moreover, running cloud security products would be a wise thing for sure.

Only a week ago, we analyzed why ‘TeamTNT’ is now considered a serious threat, having evolved from an “opportunistic actor” status. This latest report about Kubernetes targeting specifically underlines the fact that TeamTNT is targeting a wide scope of vulnerable systems, and with its worm-like attacks, the scale of the compromise is already impressive.

Latest
How to Watch Rosie Molloy Gives Up Everything Online From Anywhere
Rosie Molloy Gives Up Everything is a new comedy show about a recovering addict who tries to start fresh in life. If...
How to Watch I’m An Alcoholic – Inside Recovery Online From Anywhere For FREE
I’m An Alcoholic – Inside Recovery is a documentary that gives viewers a close-up view of an Alcoholics Anonymous meeting in the...
How to Watch Love Island Australia Season 4 (2022) Online From Anywhere
One of the hottest reality TV shows is returning with a brand new season, and we're excited to watch all the episodes...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari