AWS Malware Harvests Credentials and Installs Cryptominers
Another cryptomining worm has plagued Amazon Web Services (AWS) cloud infrastructure. Security experts have warned that the worm from a group called TeamTNT has a number of nefarius side effects. Primary focus is mining cryptocurrencies on hosts that it takes over, but it also includes stealing server and user credentials to exploit them further. The worm used a number of known malware and security decryption schemes such as punk.py, log-cleaning and Diamorphine rootkit.
Cyber security experts are urging businesses that use AWS to identify the storage units and AWS credential files that were not explicitly created by them. These files must be removed, additionally network traffic should be closely analysed and the owners of AWS accounts are asked to continuously monitor their cloud servers. Users are urged to look for connections to mining pools and credentials being moved around over HTTP should be flagged and reported to AWS. Additional ways to protect yourself is to use firewall rules to limit access to server APIs on AWS.
The worm has been scanning the platform for misconfigured servers and unsecured backdoors. Misconfigurations and backdoors are used to infiltrate the servers to steal cloud credentials. Usually this type of malware is engaged in cryptomining, but a fresh backdoor type of malware has been employed from denial-of-service to sabotage to ransomware. The attacks begin with the way AWS stores credentials files which are not encrypted. Therefore the code to steal credentials does not need to be complicated as credential files are easily opened. Once credentials files have been uploaded to TeamTNT, new server images can be installed and old ones compromised.
Group TeamTNT has been vocal in taking credit for these scams. They have been using the domain teamtnt.red, to host other malware and have a homepage entitled ‘TeamTNT RedTeamPentesting’. Upon examination, security experts counted 119 compromised servers across AWS. The amount of cryptocurrencies mined by TeamTNT have been small but the number of stolen user data and infected servers by malware continues to grow.