Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

Botnet Deploys Cloud and Container Attack Techniques Cloud Investigation

The group also began using a simple Linux ELF runtime crypter, ezuri, to encrypt their malware for evading detection. Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips. Learn how to comply with the checklist of resources requiring MFA coverage in cyber insurance policies. So all traffic into the building has to be initiated by somebody in the building. Then the next month was taking those 1100 rules and working them down to some 300 and properly labelling them. My next steps are DNS sinkholes for adds because they are technically user initiated, and finding a way to label the Google and Facebook tracking stuff because sweet Jesus it’s a lot.

The traditional way is all about finding the KubeArmor pod running on the same node as the application pod and executing inside it to find logs. In Scan options, I can configure a list of inclusion tags, so that only EC2 instances with those tags are scanned, or exclusion tags, so that EC2 instances with tags in the list are skipped. ‘Microsoft cuts 11,000 jobs worldwide’ Microsoft reportedly plans to cut 11,000 jobs worldwide, representing about five percent of the total workfor… However, the total amount should be a lot larger given that crypto-mining campaigns commonly use hundreds of wallets to store the operators’ illicit gains.

The spreading script works by looking for further accessible networks based on the output of the _ip route_ command. The _pnscan_ tool finds active SSH services on the network before attempting authentication using any keys already found on the network. It will then deploy the same payload on the new devices and the attack spreads. One way to reduce these problems is to add the Docker data directory (/var/lib/docker on Linux, %ProgramData%\docker on Windows Server, or $HOME/Library/Containers/com.docker.docker/ on Mac) to the antivirus’s exclusion list. However, this comes with the trade-off that viruses or malware in Docker images, writable layers of containers, or volumes are not detected.

In this post, we will dive into what this tool does and how to use it to leverage Docker for attacks against AWS ECS and ECR. Since stealing Docker’s credentials gives it more advantages, he warned the users to set firewalls to limit the port access, besides just setting strong passwords. Closing the dormant ports, and strictly limiting the access to only a few can wave most of the botnet attacks, as we learn from the past. A crypto-mining botnet is using a malicious shell script to steal credentials not just for AWS but also Docker. A crypto-mining botnet is using a malicious shell script to steal credentials from Docker and AWS.

In this case, it is looking for ~/.aws/credentials and ~/.aws/config directories where AWS Command Line Interface typically stores unencrypted files containing credentials and configuration details. Once found, the files are copied and uploaded to the attacker’s command-and-control server using curl. TeamTNT, a cryptocurrency mining botnet that exploits Docker APIs to gain access into victims’ servers. It was first noted by Trend Micro researchers in mid-2020, who detailed it’s activities as it cashes on misconfigured Docker APIs, to get in and install cryptocurrency mining software for earning the coins. Once the infrastructure has been compromised, the bot sets up its own containers to mine Monero cryptocurrency and to scan for additional Docker and Kubernetes servers.

Once you have all of the prerequisites, there are a few different ways to install CCAT–from source code or using CCAT’s Docker image. Using obfuscation and encodings in bash scripts and while communicating through C2 servers. The group continued their attacks on Docker however they started using the Ubuntu images directly instead of Alpine.

Furthermore, Oliveira says TeamTNT has now also added a feature to collect Docker API credentials, on top of the AWS creds-stealing code. After if began stealing AWS credentials last summer, the TeamTNT botnet is now also stealing Docker API logins, making the use of firewalls mandatory for all internet-exposed Docker interfaces. The bdo fishing resources not enough attacker explores the AWS environment and discovers they are able to list ECR repositories using compromised AWS credentials. In order to demonstrate how to use CCAT, we will run through a small example scenario below, where an attacker uses CCAT to abuse compromised AWS credentials for further exploitation in the AWS environment.

In addition, proper zero-trust implementations necessitate that communication between containers is only possible when containers are able to authenticate among themselves via pre-shared certificate. If your endpoint must be exposed, Docker recommends configuring a docker context in order to only expose the Docker socket to users who are able to log into the Docker host via SSH. This specific malicious Docker image was first detected in China, and detailed triage here and here by Chinese researchers.

Previously the main payload of the attack was the XMRig tool, used for crypto-currency mining. This has been elaborated to include credentials theft; the IRC bot is also capable of distributed denial of service attack. At the time, researchers said that TeamTNT was the first crypto-mining botnet that implemented a feature dedicated to collecting and stealing AWS credentials. Docker and other container technologies are becoming increasingly popular and are being adopted by many companies. In recent cloud pentesting engagements, we have similarly noticed that many of our clients use container technology to run their systems.