G0139
TeamTNTTeamTNT
Also known as: Adept Libra · TeamTNT
Known aliases
2
Profile
In early Febuary, 2021 TeamTNT launched a new campaign against Docker and Kubernetes environments. Using a collection of container images that are hosted in Docker Hub, the attackers are targeting misconfigured docker daemons, Kubeflow dashboards, and Weave Scope, exploiting these environments in order to steal cloud credentials, open backdoors, mine cryptocurrency, and launch a worm that is looking for the next victim.
They're linked to the First Crypto-Mining Worm to Steal AWS Credentials and Hildegard Cryptojacking malware.
TeamTNT is a relatively recent addition to a growing number of threats targeting the cloud. While they employ some of the same tactics as similar groups, TeamTNT stands out with their social media presence and penchant for self-promotion. Tweets from the TeamTNT’s account are in both English and German although it is unknown if they are located in Germany.
Aliases· 2
Adept LibraTeamTNT
MITRE ATT&CK Group crosswalk
References
- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
- https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt
- https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment
- https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool
- https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials
- https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
- https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html
- https://cyware.com/news/hildegard-teamtnts-new-feature-rich-malware-targeting-kubernetes-6587eb45
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.