Cryptojacking has become a common occurrence in the growing cryptocurrency industry. In the past several days, researchers discovered a crypto-mining worm spread. The worm is designed to steal Amazon Web Services (AWS) credentials. It is the first worm that has ever been designed with such precise AWS functionality. The malicious crypto miner and DDoS worm also steal local credentials.

Updated Cryptojacking Worm Steals Amazon Web Services Credentials 1

Cado Security analysts also said that the worm scans the internet targeting misconfigured Docker platforms. These attackers call themselves ‘TeamTNT’ and they have so far compromised many Docker, Kubernetes clusters, and Jenkins systems. Many believe that the attacks are indicative of a wider trend.

As many organizations continuously migrate their computing resources to cloud and container environments, more attackers are following them in the new space.

The Original Threat

TeamTNT’s ‘calling card’ appears when the worm first runs on the target installation. It was first spotted by Trend Micro researchers and MalwareHunterTeam in May 2020.

worm steals AWS credentials

At that time, the original worm would:

  • Create an Alpine Linux container that would host the coin miner and DDoS bot
  • Download and also install the coin miner
  • Scan for open Docker daemon ports (i.e., misconfigured Docker containers)
  • Collect all accessible system information and send it to the C&C server
  • Search for and delete all other coin miners and malware
  • Download extra utilities including a log cleaner and a tool that attackers normally use to station and pivot to other devices in the network through SSH.

The original threat was also designed with the ability to configure the firewall of their targeted network. They would then use the configuration to support ports that can be used by the other components, sinkhole other domain names, and exfiltrate sensitive information that is stored in the host machine.

New Capabilities Of The Cryptojacking Worm

The latest version of the cryptojacking worm has been installed with new capabilities as discovered by the Cado Security researchers. It still can scan for any open Docker APIs and then spin up Docker images and install itself in a new container.

However, the worm now also searches for any available exploitable Kubernetes systems and files that have AWS credentials and configuration details. It does all that just in case the compromised systems operate on the AWS infrastructure.

Cyber Security

The researchers noted that the code that cybercriminals use to steal the files is relatively straightforward. They now expect other worms to copy the new ability in the future.

But the issue arises; are these attackers using these stolen credentials or are they selling them to the highest bidder? Researchers tried to determine how the hackers are using the stolen credentials by sending “canary” AWS keys to TeamTNT’s servers. For now, these keys are yet to be used. They concluded:

“This indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn’t currently functioning.”

How Businesses Should Respond

These attacks are not quite sophisticated. But, many groups out there who deploy different types of cryptojacking worms mostly succeed at infecting huge amounts of business systems. Thus, experts advise businesses to take various measures to protect themselves from falling victims to these hackers.

Businesses should use firewall rules to limit all access to Docker APIs. It is highly advisable to use a whitelisted approach for the businesses’ firewall ruleset. Also, they should identify all the systems that store Amazon Web Services credential files and delete them if they are not necessary.

It is normal to find development credentials that have been accidentally left on production systems. Thus, businesses should sort everything out, secure the needed files, and deletes those that are no longer useful.

Experts also say that businesses should review their network traffic for any connections that may exist to mining pools or those using the Stratum mining protocol. These hackers have discovered ways to compromise the connections. Also, the businesses should review all connections that send the AWS Credentials file of the HTTP to ensure that they are entirely secured always.

About the author

Wanguba Muriuki is an Editor at Large for E-Crypto News and author of the book- "The Exploitative Intrigues of Cryptocurrency Scams Explained." He is also a passionate creator who sees every aspect of life from a written perspective. He loves Blockchain, Cryptocurrency, Technology, and Traveling. He is a widely experienced creative and technical writer. Everything and everyone is describable. The best description is written.

Related Posts

E-Crypto News Executive Interviews

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Millions in Cryptocurrency Stolen by Scammers in the Last Month According to Tenable Research
November 24, 2021
Behind The Scenes: How this Crypto Community Responded to + $50m Hack
October 18, 2021
Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021

Blockchain/Cryptocurrency Questions and Answers

How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
The Unconventional Guide to Ethereum
October 28, 2021
ICo Presale
The Science Behind ICO Presales…
October 14, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin37,476 1.55 % 8.01 % 11.40 %
Ethereum2,473.2 0.89 % 9.68 % 23.11 %
Tether1.010 0.14 % 0.20 % 0.49 %
Binance Coin377.02 0.80 % 7.53 % 20.86 %
USD Coin1.010 0.30 % 0.05 % 0.35 %
Cardano1.060 1.13 % 4.78 % 33.56 %
Solana96.02 2.05 % 12.27 % 31.44 %
XRP0.6138 0.66 % 6.31 % 19.74 %
Terra65.88 1.53 % 0.88 % 14.78 %
Polkadot18.89 0.80 % 10.94 % 26.63 %

Bitcoin (BTC) $ 37,003.00
Ethereum (ETH) $ 2,448.51
Tether (USDT) $ 1.00
Binance Coin (BNB) $ 374.11
USD Coin (USDC) $ 1.00
Cardano (ADA) $ 1.05
Solana (SOL) $ 93.86
XRP (XRP) $ 0.609522
Terra (LUNA) $ 64.80
Polkadot (DOT) $ 18.69