Crypto-mining botnet is now stealing Docker and AWS credentials
A crypto-mining botnet is using a malicious shell script to steal credentials from Docker and AWS.
Analysts from security firm Trend Micro said in a report that they spotted a malware botnet that collects and steals Docker and AWS credentials.
The researchers have linked the botnet to a cybercrime operation known as TeamTNT, a group first spotted during the 2020 summer installing cryptocurrency-mining malware on misconfigured container platforms and stealing credentials.
The threat actors used shell scripts to perform their malicious activities, breaching exposed container platforms looking for Docker systems that were exposing their management API port online without a password but also steal credentials for Amazon Web Services (AWS) servers in order to pivot to a company’s other IT systems to infect even more servers and deploy more crypto-miners.
Researchers said that TeamTNT was the first crypto-mining botnet that implemented a feature dedicated to collecting and stealing AWS credentials.
Alfredo Oliveira, a senior security researcher at Trend Micro said, “Bash was used to developing the malicious shell script. Compared to past similar attacks, the development technique was much more refined for this script. There were no more endless lines of code, and the samples were well-written and organized by function with descriptive names.”
Furthermore, Oliveira says TeamTNT has now added a feature to collect Docker API credentials, on top of the AWS creds-stealing code. This feature is most likely used on container platforms where the botnet infects hosts using other entry points than its original Docker API port scanning feature.
Oliveira points out that with this new feature, “implementing [Docker] API authentication is not enough.” He suggests that companies should make sure Docker management APIs are not exposed online in the first place, even when using strong passwords.
In cases where organizations must enable the API ports, the Trend Micro researcher recommends that companies deploy firewalls. They should then use allow-lists to limit who can access the port.