← All Threat Actors
Threat Actor Profile

TeamTNT

Adept Libra G0139
▲ High Threat
In early Febuary, 2021 TeamTNT launched a new campaign against Docker and Kubernetes environments. Using a collection of container images that are hosted in Docker Hub, the attackers are targeting misconfigured docker daemons, Kubeflow dashboards, and Weave Scope, exploiting these environments in order to steal cloud credentials, open backdoors, mine cryptocurrency, and launch a worm that is looking for the next victim. They're linked to the First Crypto-Mining Worm to Steal AWS Credentials and Hildegard Cryptojacking malware. TeamTNT is a relatively recent addition to a growing number of threats targeting the cloud. While they employ some of the same tactics as similar groups, TeamTNT stands out with their social media presence and penchant for self-promotion. Tweets from the TeamTNT’s account are in both English and German although it is unknown if they are located in Germany.
Origin

Known TTPs

Local Storage Discovery
Disable or Modify System Firewall
External Remote Services
Remote Access Tools
Systemctl
Match Legitimate Resource Name or Location
Linux and Mac Permissions
File Deletion
Container Administration Command
Unix Shell
Registry Run Keys / Startup Folder
Systemd Service
Local Account
System Service Discovery
System Network Connections Discovery
Windows Service
Upload Malware
Windows Command Shell
Deploy Container
Container and Resource Discovery
Exfiltration Over Alternative Protocol
Process Discovery
PowerShell
Cloud Instance Metadata API
Clear Command History
Local Data Staging
Vulnerability Scanning
Container CLI/API
Software Packing
Malicious Image
Rootkit
Private Keys
Escape to Host
Scanning IP Blocks
Ingress Tool Transfer
Security Software Discovery
Compute Hijacking
File and Directory Discovery
SSH
Masquerading
Deobfuscate/Decode Files or Information
System Information Discovery
Encrypted/Encoded File
System Network Configuration Discovery
Network Service Discovery
Peripheral Device Discovery
Disable or Modify Tools
Application Layer Protocol
SSH Authorized Keys
Domains
Cloud API
Web Protocols
Credentials In Files
Clear Linux or Mac System Logs
Malware
Web Service

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD