TeamTNT

Threat Actor updated 16 hours ago (2024-10-17T13:04:21.058Z)

Download STIX

Preview STIX

TeamTNT, a known threat actor group, has been identified as the force behind an advanced malware campaign targeting Kubernetes. The group's Hildegard malware is one of the most complex attacks seen to date in this area. Despite a common belief that TeamTNT disbanded in 2022, evidence of their activity dating back to 2023 has been discovered. This group is notorious for its cryptojacking attacks, using victims' IT resources to illicitly mine for cryptocurrency. Their tactics, techniques and procedures (TTPs) have shown overlaps with ongoing campaigns from previous years, indicating a consistent and persistent threat. The initial infection vector of the P2PInfect worm exploited Redis through CVE-2022-0543, a method uncommon among other cryptojacking-focused worms. However, similarities between these attacks and those orchestrated by Adept Libra (also known as TeamTNT), Thief Libra (WatchDog), and Money Libra (Kinsing) suggest possible connections. The Hildegard malware, named after the username of the tmate account used by the malware, is believed to be part of a new campaign from TeamTNT. The sophistication of these attacks underscores TeamTNT’s advanced skills in automation and attention to detail, from initial access to thwarting recovery attempts. In 2023, security companies SentinelOne and Aqua Security studied a TeamTNT cryptojacking campaign covering Google Cloud, Microsoft Azure, and Amazon Web Services (AWS). It was reported that TeamTNT mined over $8,100 worth of cryptocurrency from hijacked cloud infrastructure at a cost to their victims of more than $430,000. While this may not seem like significant profit, it does demonstrate the potential financial impact on victims. As such, the cybersecurity community continues to monitor TeamTNT closely, warning of impending Docker attacks and other potential threats.

Description last updated: 2024-10-17T12:22:01.263Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Thief Libra is a possible alias for TeamTNT. Thief Libra, also known as WatchDog, is a threat actor identified in the cybersecurity world for its malicious activities. The group's operations involve exploiting vulnerabilities to execute actions with harmful intent. A notable aspect of Thief Libra's modus operandi involves targeting Redis insta	2
Adept Libra is a possible alias for TeamTNT. Adept Libra, also known as TeamTNT, is a malicious threat actor that has been active in cybersecurity breaches since at least July 2021. The group is known for its innovative use of tools such as LaZagne to steal passwords from various operating systems, including Linux distributions in cloud-based	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Worm

Aws

Linux

Cybercrime

Kubernetes

Credentials

Docker

Azure

LaZagne

Redis

Nginx

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The P2pinfect Malware is associated with TeamTNT. P2Pinfect is a form of malware, malicious software designed to infiltrate and damage computer systems or devices without the user's knowledge. It can enter your system through suspicious downloads, emails, or websites and once inside, it has the ability to steal personal information, disrupt operati	Unspecified	2

Source Document References

Information about the TeamTNT Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	a month ago	Cryptojacking Gang TeamTNT Make a Comeback
Securityaffairs	a month ago	Linux malware called Hadooken targets Oracle WebLogic servers
InfoSecurity-magazine	7 months ago	Linux Malware Targets Docker, Apache Hadoop, Redis and Confluence
CERT-EU	9 months ago	Europol Catches Hacker Behind $2M Cryptojacking Operation \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	9 months ago	Multimillion-dollar cryptojacker snared by Ukrainian police
CERT-EU	9 months ago	Cryptominers Targeting Misconfigured Apache Hadoop and Flink with Rootkit in New Attacks
CERT-EU	9 months ago	Organizations behind on cloud security, even as cloud investments surge
CERT-EU	2 years ago	New Cryptojacking Campaign Leverages Misconfigured Redis Database Servers
CERT-EU	a year ago	Python Malware Poses DDoS Threat Via Docker API Misconfiguration
InfoSecurity-magazine	a year ago	Python Malware Poses DDoS Threat Via Docker API Misconfiguration
Trend Micro	a year ago	Secure Cloud Infrastructure from New Cyber Threats
CERT-EU	a year ago	Qubitstrike attacks rootkit Jupyter Linux servers to steal credentials
CERT-EU	a year ago	Silentbob Campaign: Cloud-Native Environments Under Attack
CERT-EU	a year ago	In Other News: Healthcare Product Flaws, Free Email Security Testing, New Attack Techniques
CERT-EU	a year ago	Links 03/09/2023: RPi Images for Debian and Perl News
Unit42	a year ago	Why LaZagne Makes D-Bus API Vigilance Crucial
CERT-EU	a year ago	Malicious Campaigns Exploit Weak Kubernetes Clusters for Crypto Mining
CERT-EU	a year ago	Aqua Nautilus find Kubernetes clusters under attack
CERT-EU	a year ago	Cado Security Labs unveils inaugural cloud threat report
CERT-EU	a year ago	ALERT: Self-Replicating P2PInfect Worm Hits Redis Instances