Nearly 50,000 IPs Compromised in Kubernetes Clusters
Governance & Risk Management
,
IT Risk Management
Trend Micro: Cryptojacking Group TeamTNT Targets Clusters in Wormlike Attack
See Also: How IT Resilience Gaps Impact Your Business
Kubernetes, developed and backed by Google, is one of the most widely adopted container orchestration platforms for automating the deployment, scaling and management of containerized applications.
“The high number of targets shows that TeamTNT is still expanding its reach, especially in cloud environments, and perhaps infrastructure, since the group can monetize a more significant amount from their campaigns with more potential victims,” Magno Logan, information security specialist and senior threat researcher at Trend Micro, writes in a blog post.
Attractive Target
Kubernetes clusters are an attractive attack target because they are often misconfigured, the researchers say.
TeamTNT is a cloud-focused cryptojacking group that often targets Amazon Web Services credential files on compromised cloud systems to mine for the cryptocurrency Monero. Security researchers first spotted the group in 2020.
The group has been scanning for and compromising Kubernetes clusters in the wild, Trend Micro reports. Several IPs were repeatedly exploited between March and May, the company says.
In previous research, Trend Micro highlighted that TeamTNT was actively stealing AWS, Docker and Linux Secure Shell credentials as well waging cryptojacking attacks and placing backdoors – such as IRC bots and remote shells…
