The Escalation of Cloud Credential Stealing: From AWS to Azure and Google Cloud

Cloud-Credential Stealing and Cryptomining Campaign Expands to Azure and Google Cloud Platform

Background

Over the past several months, a sophisticated campaign targeting Amazon Web Services (AWS) environments has now expanded to Azure and Google Cloud Platform (GCP). Researchers have determined that the tools used in the campaign share considerable overlap with those associated with TeamTNT, a notorious threat actor. The broader targeting began in June and is consistent with a series of incremental refinements made by the threat actor since December.

Attack Techniques

The attacks targeting Azure and Google’s cloud services involve the same core attack scripts used in the AWS campaign. However, the capabilities for Azure and GCP are still nascent and less developed compared to AWS. Researchers anticipate that the threat actor will continue to develop more tools with bespoke automations for these environments in the coming weeks.

TeamTNT, the threat group behind the campaign, is known for targeting exposed cloud services and exploiting cloud misconfigurations and vulnerabilities. While initially focusing on cryptomining campaigns, they have recently expanded into data theft and backdoor deployment activities.

In their latest activity, the attacker has started targeting exposed Docker services using modified shell scripts. These scripts are designed to determine the environment they are in, profile the systems, search for credential files, and exfiltrate them. The attacker’s toolset can enumerate service environment information regardless of the underlying cloud service provider.

Deployment of Cloud Worms

The threat actor is reportedly prepping an “aggressive cloud worm” designed to deploy in AWS environments. The worm aims to facilitate cloud credential theft, resource hijacking, and the deployment of a backdoor called “Tsunami.” In addition to the shell scripts used in earlier attacks, TeamTNT is now delivering a UPX-packed, Golang-based ELF binary. This binary drops and executes another shell script for scanning an attacker-specified range and propagating to other vulnerable targets.

These worming propagation mechanisms specifically look for systems responding with a specific Docker version user-agent. Instances of Docker hosted through Azure or GCP could be vulnerable to these attacks. It is worth noting that other reports have also highlighted attacks against public-facing Jupyter services, where similar concepts apply.

Implications for Azure and GCP Users

Organizations using Azure and GCP should assume that attacks against their environments will involve similar frameworks and techniques used in the AWS campaign. Administrators are advised to speak with their red teams to understand what attack frameworks work well against these platforms.

It is crucial for organizations to prioritize their internet security measures to protect their cloud environments. This includes maintaining secure configurations, implementing strong access controls, monitoring for suspicious activities or misconfigurations, regularly patching software, and conducting thorough security assessments.

Conclusion

The expansion of the cloud-credential stealing and cryptomining campaign to Azure and Google Cloud Platform highlights the need for increased vigilance in securing cloud environments. Cloud service providers and organizations must work together to continuously improve security measures, detect and respond to threats, and implement policies and procedures to mitigate the risks.