Cybersecurity firm Aqua has uncovered a potentially massive attack campaign targeting cloud-native environments. The campaign, known as “Silentbob,” utilizes an aggressive cloud worm designed to exploit exposed JupyterLab and Docker APIs.
This worm deploys the Tsunami malware, hijacks cloud credentials and resources, and spreads further infection. Aqua’s investigation was triggered by an attack on its honeypot, leading to the discovery of malicious container images and instances vulnerable to exploitation. The attack infrastructure discovered by Aqua is in its early stages of testing and deployment.
The aggressive cloud worm aims to deploy the Tsunami malware and execute various malicious activities, such as cloud credentials hijacking and resource hijacking. This worm primarily targets exposed JupyterLab and Docker APIs. Aqua describes it as a potentially massive campaign due to the significant damage it can cause to cloud-native environments. The Silentbob campaign has been linked to the cryptojacking group known as TeamTNT. The tactics, techniques, and procedures used in this campaign overlap with those employed by the notorious group.
However, it is also possible that this is the work of an advanced copycat. Aqua’s investigation revealed four malicious container images that were designed to detect vulnerable Docker and JupyterLab instances and deploy a cryptocurrency miner and the Tsunami backdoor. Aqua’s findings indicate that the Silentbob campaign has successfully exploited numerous servers with exposed JupyterLab instances.
These servers have either been actively attacked or have shown signs of exploitation. The attackers identify misconfigured servers and proceed to deploy containers or use the Command Line Interface (CLI) to scan for additional victims. The ultimate goal is to spread the malware to an increasing number of servers, with the secondary payload consisting of a crypto miner and the Tsunami backdoor.
As the Silentbob campaign continues to evolve and target cloud-native environments, the cybersecurity industry remains on high alert. The discovery of this attack infrastructure highlights the need for enhanced security measures to protect cloud-based systems. Organizations using cloud services should ensure proper configurations and security measures are in place to mitigate the risk of such attacks.
