Skip to content
Product
Icon-Platform
Platform

Explore the core capabilities of the Cado Platform.

 Icon-Environments
Environments

Discover the broad support that the Cado platform offers.

 Icon-Integrations
Integrations

Learn how the Cado platform integrates into your broader ecosystem.
Solutions
Use Cases
Icon-Cross-Cloud Investigations
Cross Cloud Investigations

Respond to incidents identified in AWS, Azure, and GCP in a single pane of glass.

 Icon-Container-Investigations
Container & K8s Investigations

Perform container investigations in EKS, AKS, GKE, and Kubernetes.

 Icon-Endpoint-Triage
Endpoint Triage

Automate endpoint triage for immediate insights and quick escalation.

 Icon-BEC-Compromise
SaaS Investigations

Analyze critical SaaS logs to investigate Business Email Compromise.

 Icon-Incident-Containment
Cloud Detection & Response (CDR)

Marry threat detection with forensic context to expedite response.

Icon-Evidence-Preservation
Evidence Preservation

Capture data immediately and preserve it before it disappears.
Cado For
DFIR
SOC
MSSPs
Partners
Government
Resources
Icon-Report
All Resources

Explore Cado Security's entire content library.

 Icon-Blog
Blog

Timely commentary from the Cado Security team.

 Icon-Playbook
Playbooks

Best practices for investigating and responding to threats.

Icon-Cheat-Sheet
Cheat Sheets

Quick tips for investigating and responding to incidents.

 Icon-News
News

The latest Cado company announcements, press, and more.

 Icon-Community
Community

Access to our free edition of the Cado platform.

 Icon-documentation
Documentation

Technical documentation on how to best leverage the Cado platform.

 White Paper 80x80
Wiki

Everything you need to know about cloud security and cloud forensics.

Company
Icon-About
About

Learn more about the Cado Security mission, vision, and team.

 Icon-Careers
Careers

Check out current career opportunities at Cado Security.

 Icon-Incidident-Response Preparedness-II
Cado Security Labs

The research and development division at Cado Security
Get a Demo
    Get a Demo
      curve design on left cloud image

      TeamTNT Script Employed to Grab AWS Credentials

      Written by: Chris Doman

      A TeamTNT script has been employed to target a Confluence vulnerability that grabs AWS credentials including those from ECS. 

      We’ve been tracking TeamTNT since the adversary group was tied back to a crypto-mining worm that specifically targeted Kubernetes clusters -- the first known worm that contained AWS-specific credential theft functionality.

      What We Found

      The IP address 3.10.224[.]87 is serving a clever script built by the TeamTNT crew to steal credentials. It steals AWS EC2 and AWS ECS credentials via their meta-data urls (169.254.169.254 for EC2 and 169.254.170.2 for ECS), as well as environment variables from Docker systems:

      The contents of malicious scripts at https://3.10.224[.]87/.a

      This IP address is also being used to attack vulnerable Confluence servers with the recent CVE-2021-26084 exploit:

      CVE-2021-26084 Exploit code

      The backdoor being distributed by the server, however, is well attributed to the Mushtik botnet.

      Have two different crews hacked the same server and are using it for hosting? Or has Mushtik borrowed some code from TeamTNT?

      Indicators of Compromise

      3.10.224[.]87

      https://3.10.224[.] 87/.a

      0e574fd30e806fe4298b3cbccb8d1089454f42f52892f87554325cb352646049

      F22ce94c41d69e539206f6832b046ca21b7d7e0a090918564d20d0ac91045276

      54934e404f70b23dc23945a61a9cc511fadeaf97a3e9b6a949b740130e9052bb

      Recommendations

      Given these findings, we recommend blocking IP address 3.10.224[.]87 to not fall victim.

      In addition, in our previous post detailing TeamTNTs techniques from August 2020, we’ve provided general recommendations on how to protect against these threats: 

      • Identify which systems are storing AWS credential files and delete them if they aren’t needed. It’s common to find development credentials have accidentally been left on production systems.

      • Use firewall rules to limit any access to Docker APIs. We strongly recommend using a allowlisted approach for your firewall ruleset.

      • Review network traffic for any connections to mining pools, or using the Stratum mining protocol.

      • Review any connections sending the AWS Credentials file over HTTP.

      Tag(s): Free Resources | Research & Threat Intel | aws

      More from the blog

      View All Posts
      Free Resources icon
      blog icon Free Resources
      Azure OMI Vulnerability OMIGOD (CVE-2021-38647) Now Under Exploitation
      September 17, 2021

      Azure users running Linux virtual machines are at risk of compromise unless they upgrade now. A vulnerable piece of...

      Continue Reading
      blog post icon
      Recent Attacks Against Supercomputers
      May 15, 2020

      This morning I saw news that a Supercomputer based at the University of Edinburgh called “Archer”, currently performing...

      Continue Reading
      Research & Threat Intel icon
      blog icon Research & Threat Intel
      Analysis of Novel Khonsari Ransomware Deployed by the Log4Shell Vulnerability
      December 14, 2021

      By Matt Muir Overview As previously reported, a recently-discovered critical vulnerability (CVE-2021-44228) in Apache’s...

      Continue Reading