Cryptojacking has become a common occurrence in the growing cryptocurrency industry. In the past several days, researchers discovered a crypto-mining worm spread. The worm is designed to steal Amazon Web Services (AWS) credentials. It is the first worm that has ever been designed with such precise AWS functionality. The malicious crypto miner and DDoS worm also steal local credentials.
Cado Security analysts also said that the worm scans the internet targeting misconfigured Docker platforms. These attackers call themselves ‘TeamTNT’ and they have so far compromised many Docker, Kubernetes clusters, and Jenkins systems. Many believe that the attacks are indicative of a wider trend.
As many organizations continuously migrate their computing resources to cloud and container environments, more attackers are following them in the new space.
The Original Threat
At that time, the original worm would:
- Create an Alpine Linux container that would host the coin miner and DDoS bot
- Download and also install the coin miner
- Scan for open Docker daemon ports (i.e., misconfigured Docker containers)
- Collect all accessible system information and send it to the C&C server
- Search for and delete all other coin miners and malware
- Download extra utilities including a log cleaner and a tool that attackers normally use to station and pivot to other devices in the network through SSH.
The original threat was also designed with the ability to configure the firewall of their targeted network. They would then use the configuration to support ports that can be used by the other components, sinkhole other domain names, and exfiltrate sensitive information that is stored in the host machine.
New Capabilities Of The Cryptojacking Worm
The latest version of the cryptojacking worm has been installed with new capabilities as discovered by the Cado Security researchers. It still can scan for any open Docker APIs and then spin up Docker images and install itself in a new container.
However, the worm now also searches for any available exploitable Kubernetes systems and files that have AWS credentials and configuration details. It does all that just in case the compromised systems operate on the AWS infrastructure.
The researchers noted that the code that cybercriminals use to steal the files is relatively straightforward. They now expect other worms to copy the new ability in the future.
But the issue arises; are these attackers using these stolen credentials or are they selling them to the highest bidder? Researchers tried to determine how the hackers are using the stolen credentials by sending “canary” AWS keys to TeamTNT’s servers. For now, these keys are yet to be used. They concluded:
“This indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn’t currently functioning.”
How Businesses Should Respond
These attacks are not quite sophisticated. But, many groups out there who deploy different types of cryptojacking worms mostly succeed at infecting huge amounts of business systems. Thus, experts advise businesses to take various measures to protect themselves from falling victims to these hackers.
Businesses should use firewall rules to limit all access to Docker APIs. It is highly advisable to use a whitelisted approach for the businesses’ firewall ruleset. Also, they should identify all the systems that store Amazon Web Services credential files and delete them if they are not necessary.
It is normal to find development credentials that have been accidentally left on production systems. Thus, businesses should sort everything out, secure the needed files, and deletes those that are no longer useful.
Experts also say that businesses should review their network traffic for any connections that may exist to mining pools or those using the Stratum mining protocol. These hackers have discovered ways to compromise the connections. Also, the businesses should review all connections that send the AWS Credentials file of the HTTP to ensure that they are entirely secured always.