{"id":1059,"date":"2024-12-04T06:42:53","date_gmt":"2024-12-04T06:42:53","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1059"},"modified":"2024-12-04T06:42:53","modified_gmt":"2024-12-04T06:42:53","slug":"lessons-to-learn-from-teamtnt-best-practices-for-securing-cloud-environments","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1059","title":{"rendered":"Lessons to Learn from TeamTNT: Best Practices for Securing Cloud Environments"},"content":{"rendered":"
\n
\n
\n
\n
\n

Is your system being used for crypto mining without your consent? This might sound unlikely to you, but it could be possible, and you won\u2019t even know about it. Cryptojackers can find your unprotected or exposed servers to put malicious code or malware and use it for mining cryptocurrencies.<\/span>\u00a0<\/span><\/p>\n

The notorious cryptojacking group known as TeamTNT has appeared to launch such a cloud attack at a very large-scale targeting cloud-native environments (Docker or Kubernetes) for illicit cryptocurrency mining and even renting out these breached servers to various third parties for profit.<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

What is the new cryptojacking attack by TeamTNT?<\/h2>\n<\/div>\n<\/div>\n
\n
\n

The cryptojacking attack by TeamTNT is a type of malware that is deployed in exposed Docker daemons with a goal of compromising the cloud environment and enlisting them into a Docker Swarm, creating a malicious botnet. This Docker Swarm will be controlled by TeamTNT for illegal crypto mining using its orchestration feature.<\/span>\u00a0<\/span><\/p>\n

The attack then leverages Docker to deploy a crypto miner on the compromised container. The attack also fetches and executes additional payloads that are responsible for conducting lateral movement to related hosts.\u00a0<\/span>\u00a0<\/span><\/p>\n

Furthermore, additional rootkits are implemented to hide malicious crypto miner from the user to stealthily mine crypto and evade detection. This is a common practice in such cryptojacking attacks.<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

How does TeamTNT execute the attack?<\/h2>\n<\/div>\n<\/div>\n
\n
\n

TeamTNT<\/span> has <\/span>identified<\/span> a step-by-step process that <\/span>appear<\/span>s to be<\/span> effective and quick at their end to <\/span>execute the cloud attack<\/span>. <\/span>Here <\/span>are the steps:<\/span><\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

1. Scan for exposed Docker APIs<\/h3>\n<\/div>\n<\/div>\n
\n
\n

In the first step, <\/span>TeamTNT<\/span> identif<\/span>ies<\/span> exposed or <\/span>unauthenticated Docker API endpoints<\/span>\/Docker daemons<\/span>. These are <\/span>identified<\/span> using <\/span>internet scanning <\/span>tools <\/span>such as<\/span> masscan<\/span> and <\/span>ZGrab<\/span>. These <\/span>scanning <\/span>tools are used to s<\/span>earch<\/span> for open ports<\/span>, <\/span>specifically 2375, 2376, 4243, and 4244<\/span>,<\/span> across <\/span>close to <\/span>16.7<\/span> million IP addresses.<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

2. Compromise the Docker API<\/h3>\n<\/div>\n<\/div>\n
\n
\n

Once <\/span>the<\/span> vulnerable <\/span>Docker <\/span>API <\/span>endpoint <\/span>is <\/span>identified<\/span>, <\/span>the team <\/span>deploy<\/span>s<\/span> a container running an Alpine Linux image with malicious commands to compromise the <\/span>exposed <\/span>environment.<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

3. Deploy crypto mining software<\/h3>\n<\/div>\n<\/div>\n
\n
\n

As <\/span>TeamTNT<\/span> ensures that the container is running as the root user and necessary tools are installed, <\/span>the team downloads <\/span>XMRig<\/span> miner on the container to start the crypto<\/span> mining activities. <\/span>The <\/span>Alpine Linux <\/span>image also runs <\/span>a<\/span> shell script named Docker Gatling Gun (TDGGinit.sh)<\/span> to<\/span> launch various post-exploitation activities<\/span>. These activities <\/span>help <\/span>TeamTNT<\/span> to<\/span> extend the duration of their attack, <\/span>secure their foothold in the compromised<\/span> container,<\/span> and prepare for future stages of the attack.<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

4. Remain anonymous for a prolonged impact<\/h3>\n<\/div>\n<\/div>\n
\n
\n

The <\/span>final step<\/span> is to put an <\/span>additional<\/span> layer of privacy in place to ensure they <\/span>operate<\/span> stealthily and prolong their campaign\u2019<\/span>s lifespan.<\/span> TeamTNT<\/span> has been <\/span>observed<\/span> using <\/span>A<\/span>non<\/span>DNS<\/span>, a service designed to provide anonymity and privacy when resolving DNS queries.<\/span> With<\/span> AnonDNS<\/span>, <\/span>they <\/span>can <\/span>hide <\/span>the location of their command-and-control servers, <\/span>which makes it<\/span> difficult<\/span> for <\/span>cyber security experts<\/span> to track their infrastructure and shut it down<\/span>.<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

How to Ensure Cloud Security against attacks like TeamTNT?<\/h2>\n<\/div>\n<\/div>\n
\n
\n

To defend cloud environments against attacks by cryptojacking groups like TeamTNT, organizations need to adopt a multi-layered security approach. Here are some key strategies you can implement:<\/span>\u00a0<\/span><\/p>\n

Authenticate Docker APIs<\/span> \u2013 You should ensure that Docker APIs should be properly authenticated and are not exposed to the internet. Exposed Docker APIs could be an easy target for attackers.<\/span>\u00a0<\/span>Keep Docker segregated \u2013<\/span> In case of an attack, segregating the Docker environment from other parts of the network can help you contain its impact. It will effectively prevent the lateral movement of the attack by limiting the attack surface within the network.<\/span>\u00a0<\/span>Do not expose the Docker daemon socket<\/span> \u2013 Docker socket is the UNIX socket that Docker listens to, which is the main entry gate for the Docker API. The owner of this socket is root. Exposing the Docket daemon socket can give someone unrestricted root access to your host.<\/span>\u00a0<\/span>Limit capabilities<\/span> \u2013 The most secure Docker setup is to limit the capabilities to a minimum. You can drop or add some capabilities to the Docker based on your requirements. One thing to note is that running the container with \u2018privileged flag\u2019 will add all capabilities to the container, making it less secure and vulnerable to attacks.<\/span>\u00a0<\/span>Keep host and Docker up to date<\/span> \u2013 It is vital to keep the host and Docker up to date to safeguard the container against known vulnerabilities. This means that you need to regularly update the host kernel and the Docker Engine. Not doing this can typically lead attackers to gain root access to the host.\u00a0<\/span>\u00a0<\/span>Run Docker in rootless mode<\/span> \u2013 Running Docker in rootless mode ensures that the Docker daemon and containers run as an unprivileged user. This makes sure that even if your Docker container is under attack, the attacker will not be able to gain root access on the host, substantially limiting the attack surface.<\/span>\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n
\n

Best practices for securing cloud environments<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Securing cloud environments requires organizations to adopt a multi-layered approach which involves processes, tools, and policies. These systems work together in sync to protect containers<\/a>, data, and other services, keeping adversaries away.\u00a0<\/span>\u00a0<\/span><\/p>\n

As cloud environments become increasingly complex, the importance of adopting cloud security best practices is even more evident. Below are some key practices for securing cloud environments:<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

Use Strong Identity and Access Management (IAM)<\/h3>\n<\/div>\n<\/div>\n
\n
\n

Implementing strong IAM strategies helps your organization protect sensitive data<\/a> and systems from unauthorized access. Furthermore, it can help you effectively manage digital identities, security policies, and access permissions.<\/span>\u00a0<\/span><\/p>\n

Limit necessary permissions for accounts and services to minimize the impact of the attack even if an account is compromised.<\/span>\u00a0<\/span>Implement multi-factor authentication (MFA) and other methods to apply strict and limited access to users and accounts. This will ensure better security and limit unauthorized access.\u00a0\u00a0<\/span>\u00a0<\/span>Use RBAC or role-based access control to make sure that users only have necessary permissions and access to perform their day-to-day tasks.<\/span>\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n
\n

Ensure High Cloud Security<\/h3>\n<\/div>\n<\/div>\n
\n
\n

The following cloud security measures can help your organization ensure strong user and device authentication, high data privacy, and controlled data access.<\/span>\u00a0<\/span><\/p>\n

Perform security audits regularly (weekly\/monthly basis) to scan your environment for anomalies, misconfigurations, and vulnerabilities.\u00a0<\/span>\u00a0<\/span>Detect any malicious or suspicious activities through continuous monitoring like unauthorized access, malicious codes, and unknown container deployments.<\/span>\u00a0<\/span>Apply network segmentation to minimize the exposure of critical systems of your organization to the internet. It can also minimize the attack surface to a great extent and prevent lateral movement within the network.<\/span>\u00a0<\/span>Ensure that security systems you use for your cloud environment are up to date with the latest security patches. This is the most effective way to prevent attacks and keep vulnerabilities away. If not, attackers can easily exploit vulnerabilities in the container to gain unauthorized access.<\/span>\u00a0<\/span>Use cybersecurity solutions like endpoint detection and response (EDR)<\/a>, <\/span>network detection and response (NDR)<\/a><\/span>, and firewalls to protect your network and endpoints from adversaries.\u00a0<\/span>\u00a0<\/span>\u00a0<\/span>Make use of cyber threat intelligence to stay informed about TTPs of the attackers to stay ahead of the emerging attacks.<\/span>\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n
\n

Encrypt Data<\/h3>\n<\/div>\n<\/div>\n
\n
\n

Apply data encryption techniques to protect the sensitive data in your cloud environments or servers. With strong encryption algorithms, you can ensure high security and confidentiality of your data.<\/span>\u00a0<\/span><\/p>\n

Encrypt your valuable data in storage through encryption algorithms like AES-256 to get protection against unauthorized access, even if the attacker gains access to your database.<\/span>\u00a0<\/span>Encrypt your data through secure protocols like transport layer security (TLS) to provide security while the data is being transmitted between users and systems.<\/span>\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

Stop TeamTNT malware with Fidelis Network<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Fidelis Security offers Fidelis Network<\/a>, a comprehensive and robust network detection and response solution that helps you safeguard your network. Fidelis Network has identified more than 6.7 million malware threats and promises you:<\/span>\u00a0<\/span><\/p>\n

Continuous monitoring for threats and malicious activities<\/span>\u00a0<\/span>Analysis and real-time alerts of malware attack<\/span>\u00a0<\/span>Protection against data exfiltration<\/a><\/span>\u00a0<\/span>Scan lateral movement in the network\u00a0<\/span>\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\n
<\/div>\n
<\/div>\n<\/div>\n
\n
\n\t\t\t\t\t\tGet in touch with us for more information\t\t\t\t\t<\/div>\n
\n\t\t\t\t\t\tWith Fidelis Network, you can be assured that you have full and deep internal visibility across all the ports and protocols of your network.\t\t\t\t\t<\/div>\n
\n\t\t\t\t\t
\n\t\t\t\t\t\tTalk to our experts\t\t\t\t\t<\/a>\n\t\t\t\t\t<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n
\n

Safeguard Cloud Environments Against Emerging Threats<\/h2>\n<\/div>\n<\/div>\n
\n
\n

As more and more organizations are moving towards cloud-only environments, the frequency and complexity of cyber-attacks will continue to rise. These attacks, especially by infamous cryptojacking groups like TeamTNT, act as a reminder that how vulnerable these servers can be.\u00a0<\/span>\u00a0<\/span><\/p>\n

We emphasize the need for robust security measures, so your cloud environment remains protected against such attacks. It is critical to adopt a strong and comprehensive cloud security strategy to ensure that your data and systems remain secure and avoid any kind of adversaries.<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

The post Lessons to Learn from TeamTNT: Best Practices for Securing Cloud Environments<\/a> appeared first on Fidelis Security<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"

Is your system being used for crypto mining without your consent? This might sound unlikely to you, but it could be possible, and you won\u2019t even know about it. Cryptojackers can find your unprotected or exposed servers to put malicious code or malware and use it for mining cryptocurrencies.\u00a0 The notorious cryptojacking group known as […]<\/p>\n","protected":false},"author":0,"featured_media":1060,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-1059","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1059"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1059"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1059\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1060"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1059"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1059"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1059"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}