Nearly 50,000 IPs Compromised in Kubernetes Clusters

Governance & Risk Management
IT Risk Management

Trend Micro: Cryptojacking Group TeamTNT Targets Clusters in Wormlike Attack

Nearly 50,000 IPs Compromised in Kubernetes Clusters
Logo for Kubernetes open-source container orchestration system

Researchers at Trend Micro say about 50,000 IPs were compromised across multiple Kubernetes clusters in a wormlike attack by the cloud-focused cryptojacking group TeamTNT.

See Also: How IT Resilience Gaps Impact Your Business

Kubernetes, developed and backed by Google, is one of the most widely adopted container orchestration platforms for automating the deployment, scaling and management of containerized applications.

“The high number of targets shows that TeamTNT is still expanding its reach, especially in cloud environments, and perhaps infrastructure, since the group can monetize a more significant amount from their campaigns with more potential victims,” Magno Logan, information security specialist and senior threat researcher at Trend Micro, writes in a blog post.

Attractive Target

Kubernetes clusters are an attractive attack target because they are often misconfigured, the researchers say.

TeamTNT is a cloud-focused cryptojacking group that often targets Amazon Web Services credential files on compromised cloud systems to mine for the cryptocurrency Monero. Security researchers first spotted the group in 2020.

The group has been scanning for and compromising Kubernetes clusters in the wild, Trend Micro reports. Several IPs were repeatedly exploited between March and May, the company says.

In previous research, Trend Micro highlighted that TeamTNT was actively stealing AWS, Docker and Linux Secure Shell credentials as well waging cryptojacking attacks and placing backdoors – such as IRC bots and remote shells…