{"id":36789,"date":"2021-01-25T09:55:26","date_gmt":"2021-01-25T09:55:26","guid":{"rendered":"https:\/\/www.vmengine.net\/2021\/01\/25\/teamtnt-back-at-work-after-docker-aims-at-aws-servers\/"},"modified":"2025-05-23T17:25:37","modified_gmt":"2025-05-23T17:25:37","slug":"teamtnt-back-at-work-after-docker-aims-at-aws-servers","status":"publish","type":"post","link":"http:\/\/temp_new.vmenginelab.com\/en\/2021\/01\/25\/teamtnt-back-at-work-after-docker-aims-at-aws-servers\/","title":{"rendered":"TeamTNT back at work, after Docker aims at AWS servers"},"content":{"rendered":"<div class=\"et_pb_section et_pb_section_228 et_section_regular\" >\n<div class=\"et_pb_row et_pb_row_319\">\n<div class=\"et_pb_column et_pb_column_4_4 et_pb_column_319  et_pb_css_mix_blend_mode_passthrough et-last-child\">\n<div class=\"et_pb_module et_pb_text et_pb_text_691  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<h3><em><a href=\"https:\/\/www.trendmicro.com\/en_hk\/business.html\"><br \/>\n  <span style=\"font-weight: 400;\">Trendmicro<\/span><br \/>\n<\/a><span style=\"font-weight: 400;\"> exposes the criminal organization TeamTNT for a second time. <\/span> <\/em><\/h3>\n<\/div><\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_692  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<p><span style=\"font-weight: 400;\">The report published by the security company confirms that it has found a second version of the botnet, more powerful and refined. If an early version of the malware only affected Docker, it is now also able to affect the servers of  <\/span><a href=\"https:\/\/aws.amazon.com\/it\/\"><span style=\"font-weight: 400;\">AWS.<\/span><\/p>\n<p><\/a><span style=\"font-weight: 400;\"><\/span><\/p>\n<p><span style=\"font-weight: 400;\">TeamTNT developers aren&#8217;t just interested in <\/span><b>mining<\/b> anymore<span style=\"font-weight: 400;\">, but now malicious scripts are being developed to steal data such as credentials and passwords. In addition, the new version of the botnet is able to prepare the environment to make sure that it has enough resources to undermine the security of other platforms, in fact, they hide in the system and also install backdoors in case they need to connect remotely to the infected servers.<\/span><\/p>\n<\/div><\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_693  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<p><b>What&#8217;s going on?<\/b><span style=\"font-weight: 400;\">  TeamTNT accesses exposed Docker containers, installs cripot mining malware, and steals credentials for AWS servers in order to pivot to a company&#8217;s other IT systems to infect even more servers and deploy cryptocurrency miners.  <\/span><span style=\"font-weight: 400;\">This type of attack is dangerous for companies that are exposed online and also for those that use Docker management APIs.  <\/span><span style=\"font-weight: 400;\">At this point a question arises, is it really possible to suffer such an attack? How can you leave space and give free access to containers?<\/span><\/p>\n<\/div><\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_694  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<p><span style=\"font-weight: 400;\">The answer is related to one of the following alternatives:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Bugs in the application, or other pieces of software contained in the container;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Docker APIs exposed to all;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Unsecured or poorly protected Git repositories (public finite credentials, etc.);<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Any DB used by the application exposed on the internet.<\/span><\/li>\n<\/ul>\n<\/div><\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_695  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<p><span style=\"font-weight: 400;\">In order not to fall into the error and avoid exposing yourself to risks of this type, we have drawn up a list of <\/span><b>Best Practices<\/b><span style=\"font-weight: 400;\"> to be put in place to protect customers from a possible malware attack:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">  Using IAM Roles instead of using programmatic keys such as Access Key and Secret Access for authenticated calls to AWS services<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">  Networking organization with public\/private subnets to secure &#8220;master&#8221; nodes if using EKS or not exposing EC2 in case of ECS on EC2<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Have a single point of access to the infrastructure (such as CDN) that will then be protected with Web Application Firewall (WAF) to avoid DDoS, XSS, SQL Injection attacks (level 7 protection ISO\/OSI stack) and level 3-4 protection.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Always use private repositories (Code Commit\/git\/ecr)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Do not expose application credentials in repositories but with other solutions, such as S3 buckets locked by strict policies, AWS System Manager.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">In addition, it should be remembered that all calls to AWS services require authentication, even via API, and that AWS does not expose anything on the internet by default.<\/span><\/p>\n<\/p>\n<\/div><\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_696  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<p><span style=\"font-weight: 400;\">Here are two real-world case studies on which VMEngine was able to set all security policies in the best possible way, positively affecting performance and making the IT architecture secure and scalable:<\/span><\/p>\n<\/div><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"et_pb_row et_pb_row_320\">\n<div class=\"et_pb_column et_pb_column_1_2 et_pb_column_320  et_pb_css_mix_blend_mode_passthrough\">\n<div class=\"et_pb_button_module_wrapper et_pb_button_50_wrapper  et_pb_module \">\n\t\t\t\t<a class=\"et_pb_button et_pb_button_50 et_pb_bg_layout_light\" href=\"https:\/\/temp_new.vmenginelab.com\/project\/uninettuno-listruzione-in-cloud-a-portata-di-clic\/\" target=\"_blank\">Read the Case Study on UNINETTUNO<\/a>\n\t\t\t<\/div>\n<\/p><\/div>\n<div class=\"et_pb_column et_pb_column_1_2 et_pb_column_321  et_pb_css_mix_blend_mode_passthrough et-last-child\">\n<div class=\"et_pb_button_module_wrapper et_pb_button_51_wrapper  et_pb_module \">\n\t\t\t\t<a class=\"et_pb_button et_pb_button_51 et_pb_bg_layout_light\" href=\"https:\/\/temp_new.vmenginelab.com\/en\/project\/yeppon-it-rise-italian-e-commerce-giant\/\" target=\"_blank\">Read the Yeppon Case Study  <\/a>\n\t\t\t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Trendmicro exposes the criminal organization TeamTNT for a second time. The report published by the security company confirms that it has found a second version of the botnet, more powerful and refined. If an early version of the malware only affected Docker, it is now also able to affect the servers of AWS. TeamTNT developers [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":32501,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[97,2297],"tags":[3304,4392,4285,4286,4393,4394,4395],"class_list":["post-36789","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en","category-news-en","tag-amazon-web-service-en","tag-aws-servers","tag-cybersecurity-en","tag-malware-en","tag-mining-en","tag-safety","tag-teamtnt-en"],"aioseo_notices":[],"jetpack_featured_media_url":"http:\/\/temp_new.vmenginelab.com\/wp-content\/uploads\/2021\/01\/AMAZON-SERVER-min-1.jpg","amp_enabled":true,"_links":{"self":[{"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/posts\/36789","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/comments?post=36789"}],"version-history":[{"count":1,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/posts\/36789\/revisions"}],"predecessor-version":[{"id":41543,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/posts\/36789\/revisions\/41543"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/media\/32501"}],"wp:attachment":[{"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/media?parent=36789"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/categories?post=36789"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/tags?post=36789"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}