TeamTNT Has Compromised Nearly 50,000 Vulnerable Kubernetes Endpoints

  • TeamTNT has already entered 50,000 misconfigured Kubernetes servers using a worm-like attack.
  • The actors are using open source network scanning tools and exploit open kubelet API ports.
  • Mining Monero on Kubernetes servers is ideal because these endpoints have access to limitless resources.

It looks like TeamTNT’s worming attacks are working exceptionally well against misconfigured and vulnerable Kubernetes endpoints, as according to a recent TrendMicro report, the malicious actors have compromised nearly 50,000 of them. Most of the intrusions target Chinese servers, while the United States, France, Germany, the UK, and Canada are also significantly affected. As the researchers report, some of these servers got repeatedly exploited, indicating the automation that goes in the scanning and worm-like spreading of the malware onto vulnerable endpoints.

Source: TrendMicro

TeamTNT appears to be using an executable named ‘’, which is only detected by a fraction of AV engines in VirusTotal, so the chances to raise any red flags are slim. The hackers also disable the bash history on the target host and set up the C2 server communications to accommodate the Monero miner (XMRig) that’s dropped later.

Source: TrendMicro

The script also installs masscan and Zgrab, two off-the-shelf open-source network reconnaissance tools. Masscan is checking for any hosts with port 10250 open, which is left to open by default as part of the kubelet API.

Source: TrendMicro

The malware then lists all the running pods inside the node and then takes advantage of the /run endpoint to execute the following four commands:

  1. Update the package index of the container
  2. Install bash, wget, and curl
  3. Download a shell script called from the C&C server and save it on the tmp folder
  4. Execute the script that starts the mining of Monero

In order to shut the door to TeamTNT’s attacks, you should close port 10250 on operational K8s clusters and protect Kube API servers from exposure. By running “curl -k https://API-SERVER-IP:PORT/api.”, you can check if any of your APIs are public-facing and remediate the issue. Moreover, running cloud security products would be a wise thing for sure.

Only a week ago, we analyzed why ‘TeamTNT’ is now considered a serious threat, having evolved from an “opportunistic actor” status. This latest report about Kubernetes targeting specifically underlines the fact that TeamTNT is targeting a wide scope of vulnerable systems, and with its worm-like attacks, the scale of the compromise is already impressive.

How to Watch Bones of Crows Online from Anywhere
The five-part hour-long drama series Bones of Crows tells its story through the perspective of Cree Matriarch. There is also a Bones...
How to Watch Time for Her to Come Home for Christmas Online from Anywhere
In Time for Her to Come Home for Christmas, Carly leads a Christmas choir in a small town, coping with her first...
How to Watch LA Fire and Rescue Online from Anywhere
While most viewers will probably be familiar with Chicago Fire, LA Fire and Rescue is bringing something new to the table when...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari