A cloud campaign orchestrated by the notorious TeamTNT group, known as Silentbob, has infected approximately 196 hosts, aiming its attacks at Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter applications.
This aggressive botnet operation seems to prioritize system infection and botnet testing over the deployment of cryptominers for financial gains. Aqua security researchers have uncovered a broader and more sophisticated campaign infrastructure, utilizing rogue container images to scan the internet for vulnerable instances and infect new victims with the Tsunami malware.
The Silentbob campaign has demonstrated its relentless and fast-paced nature, rapidly spreading across cloud environments and targeting a wide range of services and applications in the Software Development Life Cycle (SDLC). Operating with remarkable scanning capability, the attackers utilize the Internet Relay Chat (IRC) protocol for command-and-control communication, allowing them to maintain backdoor access to all infected hosts.
To further conceal their cryptomining activities, they employ a rootkit called prochider, making it challenging to detect when running the ps command on compromised systems to retrieve the list of active processes. The threat actors have evolved their tradecraft, seeking specific credentials for applications such as Grafana, Kubernetes, Docker Compose, Git access, and NPM, while also targeting databases and storage systems like Postgres, AWS S3, Filezilla, and SQLite across various cloud environments, including AWS, Azure, and GCP.
Furthermore, Aqua security researchers have identified a connection between the Silentbob campaign and the SCARLETEEL attack, disclosed by Sysdig, which aims to compromise AWS infrastructure for data theft and cryptocurrency mining. The evidence strongly indicates that SCARLETEEL is another campaign launched by TeamTNT, with IP addresses and TTPs being closely aligned, confirming the group’s continuous and relentless offensive activities.
As this aggressive botnet campaign continues to escalate, organizations relying on cloud infrastructures must prioritize their security measures, promptly update all systems, and implement stringent authentication protocols to fend off these highly sophisticated cyber threats.
