Secrets must be kept confidential in order for networks to be protected and supply-chain attacks to be avoided. Malicious actors frequently target secrets in storage mechanisms and harvest credentials from systems that have been compromised. DevOps software often stores credentials in plain text that is accessible even without user intervention, posing a significant security risk.
When inside a victim's device, malicious actors have been known to steal cloud service provider (CSP) credentials. For example, the cybercriminal group TeamTNT is no stranger to attacking cloud containers, expanding their arsenal to steal cloud credentials, and experimenting with new environments and intrusive activities.
Trend Micro discovered new evidence that TeamTNT has expanded its credential harvesting capabilities to threaten numerous cloud and non-cloud services in victims' internal networks and systems post-compromise in the group's most recent attack routine.
The malware created by TeamTNT is designed to steal credentials from specific applications and services. It infects Linux machines with vulnerabilities such as exposed private keys and recycled passwords, and it focuses on looking for cloud-related data on infected devices.
Cloud misconfigurations and repeated passwords, as in the group's other attacks, make it easy to gain access to a victim's device. To gain access to other systems, the community harvests credentials for Secure Shell (SSH) and Server Message Block (SMB), as before. Both intrusion strategies have the ability to disperse their payloads in a worm-like manner.
The malware searches for app configurations and data based on a search list when running through the linked devices, and sends them to the command-and-control (C&C) server, using a.netrc file to automatically log in using the harvested credentials. Comparing the harvester with the group’s previous versions, Trend Micro saw a significant increase in targets.
Since TeamTNT's payloads are focused on illegal Monero mining, it's no surprise that the malware searches the infected system for Monero configuration data. The malware looks for Monero wallets on all devices that the group has access to.
The malware attempts to remove all traces of itself from the infected device at the end of its routine. According to research, it strongly suggests that this is not being achieved effectively. Although the command "history -c" clears the Bash history, some commands continue to run and leave traces on other sections of the device.
Malicious actors deliberately search internal networks and systems for legitimate users' credentials in order to facilitate their post-intrusion activities. They could use the cloud services paid for by legitimate organizations for other malicious purposes if they have CSP credentials.
Furthermore, plaintext credentials are a gold mine for cybercriminals, particularly when used in subsequent attacks. Vulnerabilities, especially those in unpatched and otherwise unsecured internet-facing systems, are the same.
Customers are advised to use the hidden vaults provided by their CSPs and adopt these best practices to minimize the risks of this TeamTNT routine and other related threats:
1.Adopt the collective responsibility model and enforce the concept of least privilege.
2.Replace default credentials with strong and stable passwords and make sure that the security settings of various systems environments are personalized to the needs of the company.
3.Avoid storing passwords in plain text and use multifactor authentication.
