Malicious Actor Targets Azure and Google Cloud in Evolving Credential Stealing Campaign In June 2023, a cloud credential stealing campaign was discovered, indicating a shift in the adversary’s focus beyond AWS to target Azure and Google Cloud Platform (GCP) services.
SentinelOne and Permiso linked the campaign to the notorious TeamTNT cryptojacking crew, although attribution remains challenging due to script-based tools. The attacks single out public-facing Docker instances to deploy a worm-like propagation module and overlap with the ongoing Silentbob campaign disclosed by Aqua, highlighting the threat actor’s expertise in cloud environments.
As many as eight incremental versions of the credential harvesting script were identified between June 15, 2023, and July 11, 2023, showcasing an actively evolving campaign. The newer malware versions are designed to gather credentials from various cloud platforms and technologies, including AWS, Azure, GCP, Docker, Kubernetes, and more. The stolen credentials are then exfiltrated to a remote server under the threat actor’s control, demonstrating a sophisticated attack strategy.
Security researchers from SentinelOne noted that the tactics used in the campaign bear similarities to a Kubelet-targeting campaign undertaken by TeamTNT in September 2022, further implicating the notorious group.
Additionally, the threat actor was observed distributing a Golang-based ELF binary alongside the shell script malware, serving as a scanner to propagate the malware to vulnerable targets. Despite overlapping infrastructure, clear-cut attribution to TeamTNT is challenging due to certain differences in tactics, techniques, and procedures (TTPs), according to Sysdig.
The evolving and meticulous nature of the campaign indicates a seasoned cloud actor with experience and expertise across multiple technologies, making them a significant threat to cloud environments.
With the threat actor actively improving and fine-tuning their tools, researchers warn of potential larger scale campaigns in the future. The discovery of this credential stealing campaign highlights the need for robust cybersecurity measures and continuous monitoring to protect cloud-based services from sophisticated attacks.
