Is your XDR solution truly comprehensive? Find Out Now!
Get a Demo

Lessons to Learn from TeamTNT: Best Practices for Securing Cloud Environments

  • Yogesh Rawal

Is your system being used for crypto mining without your consent? This might sound unlikely to you, but it could be possible, and you won’t even know about it. Cryptojackers can find your unprotected or exposed servers to put malicious code or malware and use it for mining cryptocurrencies.

The notorious cryptojacking group known as TeamTNT has appeared to launch such a cloud attack at a very large-scale targeting cloud-native environments (Docker or Kubernetes) for illicit cryptocurrency mining and even renting out these breached servers to various third parties for profit.

What is the new cryptojacking attack by TeamTNT?

The cryptojacking attack by TeamTNT is a type of malware that is deployed in exposed Docker daemons with a goal of compromising the cloud environment and enlisting them into a Docker Swarm, creating a malicious botnet. This Docker Swarm will be controlled by TeamTNT for illegal crypto mining using its orchestration feature.

The attack then leverages Docker to deploy a crypto miner on the compromised container. The attack also fetches and executes additional payloads that are responsible for conducting lateral movement to related hosts.

Furthermore, additional rootkits are implemented to hide malicious crypto miner from the user to stealthily mine crypto and evade detection. This is a common practice in such cryptojacking attacks.

How does TeamTNT execute the attack?

TeamTNT has identified a step-by-step process that appears to be effective and quick at their end to execute the cloud attack. Here are the steps:

1. Scan for exposed Docker APIs

In the first step, TeamTNT identifies exposed or unauthenticated Docker API endpoints/Docker daemons. These are identified using internet scanning tools such as masscan and ZGrab. These scanning tools are used to search for open ports, specifically 2375, 2376, 4243, and 4244, across close to 16.7 million IP addresses.

2. Compromise the Docker API

Once the vulnerable Docker API endpoint is identified, the team deploys a container running an Alpine Linux image with malicious commands to compromise the exposed environment.

3. Deploy crypto mining software

As TeamTNT ensures that the container is running as the root user and necessary tools are installed, the team downloads XMRig miner on the container to start the crypto mining activities. The Alpine Linux image also runs a shell script named Docker Gatling Gun (TDGGinit.sh) to launch various post-exploitation activities. These activities help TeamTNT to extend the duration of their attack, secure their foothold in the compromised container, and prepare for future stages of the attack.

4. Remain anonymous for a prolonged impact

The final step is to put an additional layer of privacy in place to ensure they operate stealthily and prolong their campaign’s lifespan. TeamTNT has been observed using AnonDNS, a service designed to provide anonymity and privacy when resolving DNS queries. With AnonDNS, they can hide the location of their command-and-control servers, which makes it difficult for cyber security experts to track their infrastructure and shut it down.

How to Ensure Cloud Security against attacks like TeamTNT?

To defend cloud environments against attacks by cryptojacking groups like TeamTNT, organizations need to adopt a multi-layered security approach. Here are some key strategies you can implement:

  • Authenticate Docker APIs – You should ensure that Docker APIs should be properly authenticated and are not exposed to the internet. Exposed Docker APIs could be an easy target for attackers.
  • Keep Docker segregated – In case of an attack, segregating the Docker environment from other parts of the network can help you contain its impact. It will effectively prevent the lateral movement of the attack by limiting the attack surface within the network.
  • Do not expose the Docker daemon socket – Docker socket is the UNIX socket that Docker listens to, which is the main entry gate for the Docker API. The owner of this socket is root. Exposing the Docket daemon socket can give someone unrestricted root access to your host.
  • Limit capabilities – The most secure Docker setup is to limit the capabilities to a minimum. You can drop or add some capabilities to the Docker based on your requirements. One thing to note is that running the container with ‘privileged flag’ will add all capabilities to the container, making it less secure and vulnerable to attacks.
  • Keep host and Docker up to date – It is vital to keep the host and Docker up to date to safeguard the container against known vulnerabilities. This means that you need to regularly update the host kernel and the Docker Engine. Not doing this can typically lead attackers to gain root access to the host.
  • Run Docker in rootless mode – Running Docker in rootless mode ensures that the Docker daemon and containers run as an unprivileged user. This makes sure that even if your Docker container is under attack, the attacker will not be able to gain root access on the host, substantially limiting the attack surface.
11 Best practices to safeguard your cloud environments Infographic

Best practices for securing cloud environments

Securing cloud environments requires organizations to adopt a multi-layered approach which involves processes, tools, and policies. These systems work together in sync to protect containers, data, and other services, keeping adversaries away.

As cloud environments become increasingly complex, the importance of adopting cloud security best practices is even more evident. Below are some key practices for securing cloud environments:

Use Strong Identity and Access Management (IAM)

Implementing strong IAM strategies helps your organization protect sensitive data and systems from unauthorized access. Furthermore, it can help you effectively manage digital identities, security policies, and access permissions.

  • Limit necessary permissions for accounts and services to minimize the impact of the attack even if an account is compromised.
  • Implement multi-factor authentication (MFA) and other methods to apply strict and limited access to users and accounts. This will ensure better security and limit unauthorized access.
  • Use RBAC or role-based access control to make sure that users only have necessary permissions and access to perform their day-to-day tasks.

Ensure High Cloud Security

The following cloud security measures can help your organization ensure strong user and device authentication, high data privacy, and controlled data access.

  • Perform security audits regularly (weekly/monthly basis) to scan your environment for anomalies, misconfigurations, and vulnerabilities.
  • Detect any malicious or suspicious activities through continuous monitoring like unauthorized access, malicious codes, and unknown container deployments.
  • Apply network segmentation to minimize the exposure of critical systems of your organization to the internet. It can also minimize the attack surface to a great extent and prevent lateral movement within the network.
  • Ensure that security systems you use for your cloud environment are up to date with the latest security patches. This is the most effective way to prevent attacks and keep vulnerabilities away. If not, attackers can easily exploit vulnerabilities in the container to gain unauthorized access.
  • Make use of cyber threat intelligence to stay informed about TTPs of the attackers to stay ahead of the emerging attacks.

Encrypt Data

Apply data encryption techniques to protect the sensitive data in your cloud environments or servers. With strong encryption algorithms, you can ensure high security and confidentiality of your data.

  • Encrypt your valuable data in storage through encryption algorithms like AES-256 to get protection against unauthorized access, even if the attacker gains access to your database.
  • Encrypt your data through secure protocols like transport layer security (TLS) to provide security while the data is being transmitted between users and systems.

Stop TeamTNT malware with Fidelis Network

Fidelis Security offers Fidelis Network, a comprehensive and robust network detection and response solution that helps you safeguard your network. Fidelis Network has identified more than 6.7 million malware threats and promises you:

  • Continuous monitoring for threats and malicious activities
  • Analysis and real-time alerts of malware attack
  • Scan lateral movement in the network
Get in touch with us for more information
With Fidelis Network, you can be assured that you have full and deep internal visibility across all the ports and protocols of your network.
Talk to our experts

Safeguard Cloud Environments Against Emerging Threats

As more and more organizations are moving towards cloud-only environments, the frequency and complexity of cyber-attacks will continue to rise. These attacks, especially by infamous cryptojacking groups like TeamTNT, act as a reminder that how vulnerable these servers can be.

We emphasize the need for robust security measures, so your cloud environment remains protected against such attacks. It is critical to adopt a strong and comprehensive cloud security strategy to ensure that your data and systems remain secure and avoid any kind of adversaries.

About Author

Picture of Yogesh Rawal
Yogesh Rawal

Yogesh is a technology enthusiast with a deep passion of transforming complex concepts of the cyber security world into simplified insights. With a blend of technical expertise and unique storytelling flair, he helps readers to navigate the ever-evolving cyber security landscape.

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.

Get a Demo