TeamTNT

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
TeamTNT, a threat actor group known for its malicious activities, has been implicated in a series of sophisticated attacks on Kubernetes, one of the most complex to date. The group is notorious for deploying malware, specifically the Hildegard malware, which was identified during a new campaign. The username of the tmate account used by the malware was "Hildegard," leading to its name. The initial infection vector of the P2PInfect worm, exploiting Redis through CVE-2022-0543, is uncommon among other cryptojacking-focused worms that target Redis instances, differentiating TeamTNT from other threat actors such as Adept Libra (aka TeamTNT), Thief Libra (aka WatchDog), and those delivering Money Libra (aka Kinsing) variants. In 2023, SentinelOne and Aqua Security investigated a TeamTNT cryptojacking campaign that spanned across Google Cloud, Microsoft Azure, and Amazon Web Services (AWS). Despite the widespread impact, the financial gains from these activities were relatively small, with TeamTNT making around $8,100 in proceeds but leaving victims with approximately $430,000 in bills. This pattern of exploitation, targeting Docker and Kubernetes environments for cryptojacking and other malicious activities, is consistent with TeamTNT's history. The threat actor group has continued to evolve its tactics, techniques, and procedures (TTPs), as evidenced by their deployment of the Legion malware in April, which targeted misconfigured cloud-based email servers and attacked AWS CloudWatch. Furthermore, TeamTNT has been linked to stealing credentials for Azure, Google Cloud Platform, and AWS, using a worm to target Docker containers. Notably, the Docker Hub account "hildeteamtnt" was identified as being used by TeamTNT to store their malicious images. These developments highlight the group's ongoing threat to cybersecurity and the need for robust countermeasures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Tsunami
3
The "Tsunami" malware, a malicious software designed to exploit and damage computer systems, has caused significant cybersecurity disruptions globally. This malware, whose variants include xmrigDeamon, Bioset, dns3, xmrigMiner, docker-update, dns, 64[watchdogd], 64bioset, 64tshd, armbioset, armdns,
Thief Libra
2
Thief Libra, also known as WatchDog, is a threat actor identified in the cybersecurity world for its malicious activities. The group's operations involve exploiting vulnerabilities to execute actions with harmful intent. A notable aspect of Thief Libra's modus operandi involves targeting Redis insta
Adept Libra
2
Adept Libra, also known as TeamTNT, is a malicious threat actor that has been active in cybersecurity breaches since at least July 2021. The group is known for its innovative use of tools such as LaZagne to steal passwords from various operating systems, including Linux distributions in cloud-based
Silentbob
1
Silentbob, a threat actor linked to the infamous cryptojacking group known as TeamTNT, has been identified as a significant cybersecurity concern. Silentbob has been involved in an aggressive cloud campaign, infecting as many as 196 hosts. The activity is named after an AnonDNS domain set up by the
Money Libra
1
Money Libra, also known as Kinsing, is a malicious software (malware) that has been active since late 2021. This malware primarily targets cloud-native environments and applications such as Kubernetes clusters, Docker API, Redis, Jenkins and Openfire servers, and cloud-hosted Apache NiFi instances,
Diamorphine
1
Diamorphine is a threat actor, a human entity or group with malicious intent, that has been identified as using sophisticated techniques to compromise system security. This actor utilizes open-source rootkits available on GitHub, namely Diamorphine and Reptile, to infiltrate supported systems. These
Dockgeddon
1
Dockgeddon is a threat actor identified by Lacework Labs through their Docker API honeypot. The honeypot detected a container image named "dockgeddon" being created from the Megawebmaster account, which is known for its association with TeamTNT utilities. This discovery was made possible through the
Hildegard
1
Hildegard is a sophisticated malware strain attributed to the cybercriminal group, TeamTNT. This malicious software primarily exploits unsecured kubelets to infiltrate and move laterally within Kubernetes clusters. The name "Hildegard" derives from the username of the tmate account utilized by the m
Kinsing
1
Kinsing is a type of malware, short for malicious software, that is designed to exploit and damage computer systems or devices. It typically infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt o
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Worm
Aws
Kubernetes
Docker
Linux
Cybercrime
LaZagne
Credentials
Redis
Nginx
Azure
Github
Rootkit
SSH
Ddos
Backdoor
Exploit
Downloader
Apt
Trojan
Bot
Payload
Beacon
Botnet
Hadoop
Lateral Move...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
P2pinfectUnspecified
2
P2Pinfect is a malicious software (malware) that has recently been updated to target Redis servers with miners and ransomware, as well as routers and Internet of Things (IoT) devices. This malware infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once
ZiggystartuxUnspecified
1
ZiggyStarTux is a malicious software (malware) that has been identified as part of the arsenal of TeamTNT, a cybercriminal group. The malware, an open-source IRC bot based on the Kaiten malware, was first detailed by Lacework earlier this year. It operates as a backdoor, running a secondary payload
Tntfeatb0rgUnspecified
1
TNTFeatB0RG is a malicious software (malware) identified within the "dockgeddon" Docker image, designed to exploit and damage computer systems. It can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, TNTFeatB0RG has the capability to steal
JupyterUnspecified
1
Jupyter, also known as SolarMarker, Yellow Cockatoo, and Jupyter Infostealer, is a malware that has been steadily evolving since 2020. This malicious software targets sectors such as education, healthcare, and small to medium-sized enterprises (SMEs). It is designed to exploit and damage computer sy
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RockeUnspecified
1
Rocke, also known as the Iron Cybercrime Group, is a significant threat actor in the cybersecurity landscape. Identified by Talos in 2018, Rocke has been linked to various malicious activities, including the deployment of an ELF backdoor for financial gain. The group's primary motivation appears to
WinntiUnspecified
1
Winnti is a sophisticated threat actor group, first identified by Kaspersky in 2013, with activities dating back to at least 2007. The group has been associated with the Chinese nation-state and is part of a collective known as APT41, which also includes subgroups like Wicked Panda, Suckfly, and Bar
Agent SerpensUnspecified
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the TeamTNT Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
InfoSecurity-magazine
5 months ago
Linux Malware Targets Docker, Apache Hadoop, Redis and Confluence
CERT-EU
6 months ago
Europol Catches Hacker Behind $2M Cryptojacking Operation | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Multimillion-dollar cryptojacker snared by Ukrainian police
CERT-EU
6 months ago
Cryptominers Targeting Misconfigured Apache Hadoop and Flink with Rootkit in New Attacks
CERT-EU
6 months ago
Organizations behind on cloud security, even as cloud investments surge
CERT-EU
a year ago
New Cryptojacking Campaign Leverages Misconfigured Redis Database Servers
CERT-EU
8 months ago
Python Malware Poses DDoS Threat Via Docker API Misconfiguration
InfoSecurity-magazine
8 months ago
Python Malware Poses DDoS Threat Via Docker API Misconfiguration
Trend Micro
9 months ago
Secure Cloud Infrastructure from New Cyber Threats
CERT-EU
9 months ago
Qubitstrike attacks rootkit Jupyter Linux servers to steal credentials
CERT-EU
a year ago
Silentbob Campaign: Cloud-Native Environments Under Attack
CERT-EU
a year ago
In Other News: Healthcare Product Flaws, Free Email Security Testing, New Attack Techniques
CERT-EU
a year ago
Links 03/09/2023: RPi Images for Debian and Perl News
Unit42
a year ago
Why LaZagne Makes D-Bus API Vigilance Crucial
CERT-EU
a year ago
Malicious Campaigns Exploit Weak Kubernetes Clusters for Crypto Mining
CERT-EU
a year ago
Aqua Nautilus find Kubernetes clusters under attack
CERT-EU
a year ago
Cado Security Labs unveils inaugural cloud threat report
CERT-EU
a year ago
ALERT: Self-Replicating P2PInfect Worm Hits Redis Instances
CERT-EU
a year ago
New P2P Worm Puts Windows and Linux Redis Servers in its Sights
CERT-EU
a year ago
Sophisticated Cloud Credential Theft Campaign Targets AWS, Expands to Azure and Google Cloud | IT Security News