TeamTNT was active for two years: researchers

By

Germany the hacker group’s likely home.

TeamTNT, which first made the news in 2020 deploying an AWS credential-stealing worm, ended up being active for more than two years, security researchers have claimed.

TeamTNT was active for two years: researchers

Late last week, CloudSEK researchers posted details of a 12-strong group called “TeamTNT”, who claim they have targeted Docker, Redis server, AWS, Weavescope and Kubernetes-hosted systems.

While active, CloudSEK says, the group posted their activities on Twitter under the @HildeTNT handle.

“TeamTNT’s Github profile contains 25 public repositories, most of which are the forks of the popular red teaming tools and other repositories possibly leveraged by them”, the advisory stated.

Malicious files and scripts were hosted on the teamtnt.red domain.

Their attack techniques depended on the environment they were trying to breach.

For example, in attacking Redis-hosted environments, they would use Pnscane to look for services listening on Port 6379; perform DDoS and execute commands using the Tsunami botnet; install the xmrigCC crypto minor, and deploy the Punk.py exploitation tool to collect usernames and SSH keys.

Apart from the AWS credential theft campaign, the group started Docker attacks in May 2020, CloudSEK claimed, with Kubernetes attacked since January 2021, and in July 2021 they launched another attack that included AWS in its targets.

Since TeamTNT wrote its Tweets and bash scripts in German, CloudSEK concluded that the group was based in Germany.

 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul

CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

WestJet probes cyber security incident

WestJet probes cyber security incident

Log In

  |  Forgot your password?