Amazon Web Services (AWS) is under attack. It’s under attack by a group called TeamTNT, which is using a cryptomining worm to collect credentials. Once log in information is acquired, the worm dispatches XMRig to mine Monero cryptocurrency. Stealing data and access have always had value, but not compute. But only recently has stealing compute had any value, a problem which was an unintended side effect of cryptomining. Even prior to TeamTNT, we have witnessed events and incidents where access was leaked and a $500,000 bill of compute was run up overnight by cryptominers.
Compute is now more valuable than data or access, especially cloud access and cloud compute which are highly sought. But even stolen hardware compute has value now. There have other first hand instances where we have found people stealing servers from on-premise data centers and hiding them in the rafters, inside walls and under floors. It’s stolen power, stolen compute and stolen network. This can make an attacker serious money with new weak cryptocurrency that can be easily mined. And could exponentially grow.
The AWS attack does more than cryptomining, though. From ThreatPost:
“According to researchers at Cado Security, the worm also deploys a number of openly available malware and offensive security tools, including “punk.py,” a SSH post-exploitation tool; a log cleaning tool; the Diamorphine rootkit; and the Tsunami IRC backdoor.
It is, they said, the first threat observed in the wild that specifically targets AWS for cryptojacking purposes. However, it also carries out more familiar fare.
“The worm also steals local credentials, and scans the internet for misconfigured Docker platforms,” according to a Monday posting. “We have seen the attackers…compromise a number of Docker and Kubernetes systems.”
Docker and Kubernetes systems attacks are not new, but the strict focus on AWS makes this attack unique. However, it appears that part of the automation in this attack isn’t fully functional, or TeamTNT is manually assessing and using the credentials it steals. ThreatPost goes on to say, “The script that anchors TeamTNT’s worm is repurposed code from the aforementioned Kinsing malware [April Bitcoin mining attack], researchers said, which was originally used to scan for misconfigured Docker APIs, then spin up Docker images and install itself. They added that copying code from other tools is common in this area of cybercrime.
“In turn, it is likely we will see other worms start to copy the ability to steal AWS credentials files too,” they said. “Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying cryptojacking worms are successful at infecting large amounts of business systems.”
It is common for code to be copied and re-used or re-purposed by different attack groups, but the scale at which these attacks are happening is concerning. Especially given that they are currently infiltrating AWS and there are so many businesses which may not be properly set up in the cloud, not all businesses have alerting and conversely many have dead accounts creating unnecessary surface area for an attack.
In the past, we have discussed the importance of knowing what is normal for your company, how many VM’s you’re using, what size they are and how often they are used. We’ve discussed setting alerts around budgeting, being vigilant about monitoring. This attack is a prime example of why we implore businesses to follow those guidelines.
The above guidelines are to help mitigate risk and have early warning in the event of a breach or problem. In this instance, it is suggested that businesses look at every system storing AWS credential files and delete anything not needed. Review network traffic for new connections, connections to mining pools or anything sending credentials over HTTP. Use firewall rules to limit access to Docker API’s. Secure your AWS systems and credential files and do it now, before the attack reaches your business and you are exposed. And setup up budget alerts, before you have $1 Million bill.