TeamTNT was active for two years: researchers

TeamTNT, which first made the news in 2020 deploying an AWS credential-stealing worm, ended up being active for more than two years, security researchers have claimed.

Late last week, CloudSEK researchers posted details of a 12-strong group called “TeamTNT”, who claim they have targeted Docker, Redis server, AWS, Weavescope and Kubernetes-hosted systems.

While active, CloudSEK says, the group posted their activities on Twitter under the @HildeTNT handle.

“TeamTNT’s Github profile contains 25 public repositories, most of which are the forks of the popular red teaming tools and other repositories possibly leveraged by them”, the advisory stated.

Malicious files and scripts were hosted on the teamtnt.red domain.

Their attack techniques depended on the environment they were trying to breach.

For example, in attacking Redis-hosted environments, they would use Pnscane to look for services listening on Port 6379; perform DDoS and execute commands using the Tsunami botnet; install the xmrigCC crypto minor, and deploy the Punk.py exploitation tool to collect usernames and SSH keys.

Apart from the AWS credential theft campaign, the group started Docker attacks in May 2020, CloudSEK claimed, with Kubernetes attacked since January 2021, and in July 2021 they launched another attack that included AWS in its targets.

Since TeamTNT wrote its Tweets and bash scripts in German, CloudSEK concluded that the group was based in Germany.