CyberWire Daily - A glimpse into TeamTNT. [Research Saturday]
Episode Date: November 13, 2021Senior Intelligence Researcher at Anomali, Tara Gould, joins Dave to discuss their team's work on "Inside TeamTNT’s Impressive Arsenal: A Look Into A TeamTNT Server." Anomali Threat Research discove...red an open server to a directory listing that they attribute with high confidence to the German-speaking threat group, TeamTNT.The server contains source code, scripts, binaries, and cryptominers targeting Cloud environments.Other server contents include Amazon Web Services (AWS) Credentials stolen from TeamTNT stealers are also hosted on the server. This inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve detection capabilities for related attacks, whether coming directly from TeamTNT or other cybercrime groups leveraging their tools. The research can be found here: Inside TeamTNT’s Impressive Arsenal: A Look Into A TeamTNT Server Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
I discovered some Docker images, a Docker repo that contained 25 Docker images.
And from that, that's where I find this repo.
That's Tara Gould. She's a senior intelligence researcher at Anomaly.
The research we're discussing today is titled Inside Team TNT's Impressive Arsenal, a look into a Team TNT server.
And now a message from our sponsor Zscaler, the leader in cloud security. Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based
on identity and context. Simplifying security management with AI-powered automation. And
detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack
what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
So Team TNT are, you know, pretty plural in a group at the moment in the sense that they
are targeting cloud environments, which is where you know the sort of future of everything tech is really going
um towards so i was interested in them from that perspective um also interested in sort of their
you know how they sort of differentiate themselves from other other groups in a sense that they are quite interested in sort of self-promotion.
You know, they don't shy away from essentially like self-attribution.
You know, they will probably state what is theirs, what they are doing.
So it started as an interest.
I knew that they were targeting sort of Weaveworks, Weavescope, BSL, and LAT. I discovered
some Docker images, a Docker repo that contained
25 Docker images, and from that, that's
where I found this repo. Well, before we dig into
some of the specifics here, what are some of the other details about
Team TNT? What do we know about them?
We know that they're
German speaking.
They say that they're in Germany
and by all accounts,
that does appear to be true.
They also,
they're an interesting group
in the sense that,
you know, other groups,
you may think that they would say
something like that
to sort of throw people
off the scent,
but they are pretty upfront with information about themselves and their tactics and tools
so we know that they're german they are interested in crypto jacking they have been about in their
current iteration since 2020 there is some research that points to them going back to potentially 2011,
and there is some evidence supporting some possible iteration of them being about in some
form for quite a number of years, possibly like eight or nine years.
Well, let's dig into this specific research here. What exactly is it that
you all found? So what we found was 18 TNT repo that was setting open the directory listing,
which meant that we were able to find various folders that hosted large amounts of scripts, binaries, crypto miners,
source code, stolen credentials, rootkits, metadata, tools, logs,
and pretty much everything that would be used in one of their campaigns.
And also artifacts from other campaigns.
Well, let's dig into some of the details here.
I mean, you found a variety of different things.
Can we go through them together?
And can you describe to us each sort of individual aspect
to what it is that you discovered?
Yep. So this was the CMD folder command, I suppose that is.
This contained about 50 scripts. Now, a lot of these, you know,
they've already been written about, they've been used in previous campaigns. It is nothing new,
but that contained, you know, AWS credential stealers, diamorphing rootkit, IP scanners,
MountSploit scripts, the setup utils, miners, and then they also have scripts that remove previous miners.
Do any of the scripts stand out in particular?
Is there anything that's interesting or clever in the things that you found?
Yeah, so the mentions of Kubernetes is interesting
as they appear to be sort of pivoting towards Kubernetes.
Interesting for a number of reasons, as obviously, you know, the use of it is increasing.
And again, it's a more sort of future looking way of attacking as opposed to sort of more
old school traditional, which would be like a.file, macros, and sort of like Windows
malware.
Well, let's dig into some of the binaries then.
What did you find there?
Yep.
So another folder was the bin folder.
This contained a number of binaries.
And again, a lot of these have been used by Team TNT in the past.
Another thing notable with Team TNT is they do tend to watermark all of their malware.
Again, like somebody else could hypothetically do it, but in terms of attribution, it does appear to be very clear that it is them.
So the binaries included Tsunami Backdoor and XMRA Crypto Miner. So the use of Crypto Miners is
pretty common with Team TNT as cryptojacking seems to be sort of their main focus. And then this
folder also contained various utilities
that they will use in carrying out their activities.
So some of these are like pen testing tools and like IP scanners.
And then one of the other things you explored here
was some of the metadata.
What was revealed here?
This folder, the metadata, the in folder was very interesting. From what I can see,
it appears to contain the stolen. So I have to assume these are from previous Team TNT campaigns
and contains lists of stolen AWS credentials, lists of S3 buckets. There was some other credential
files. In particular, the one that I noticed
that was interesting was an Engroff credential file that had a name attached to it. It's
difficult to tell where exactly that came from, why there was just that single one.
It's unclear whether this was a victim or not. That's all I can really say on that without
saying too much.
was a victim or not.
That's all I can really say on that without saying too much.
Yeah.
It's sort of fascinating as I was reading through your research here, as you kind of mentioned at the outset that, well, a couple of things about Team TNT.
I mean, first of all, I think it's fair to say that we don't really hear of a lot of
threat groups coming out of Germany.
That's interesting in itself. But then also, as you say, just how
they're willing to hang their name on so many things. I mean, the fact that they're coming from,
if indeed they are from Germany, which we have a good relationship with when it comes to law
enforcement, the fact that they're bragging about their efforts here, that's interesting as well.
Yeah, it is very interesting.
There could be a multitude of reasons for it.
Maybe they're happy to, you know, sort of take the glory from it, if you will, because
they haven't been caught yet.
And, you know, it's possible that they have been doing this
for a number of years and, you know,
could be sort of cocky about it.
But it is interesting and it is, you know,
a differentiator compared to other groups.
There's also, you know, the aspect, like,
if you look at it sort of from, like, a developer aspect,
you know, like, they're putting time and effort
into creating these, like, and, you know,
they are, I guess you would call them successful, you know, threat group.
So, you know, maybe they just want the sort of glory to go along with it.
You know, they want stuff that is theirs to be credited to them.
They do frequently go after sort of either like researchers or companies that are putting out research that are attributing stuff to them that
isn't them they will come out and say like this is not team tnt which is another interesting part
they're very um willing in saying what is them and what's not do you have any notion i mean the
very fact that you are able to see inside this directory there's their own infrastructure here
do we suspect that that was intentional on
their part or may it have been just a little bit of sloppiness? That is the really interesting
question. So after this was published on Twitter, they claimed that it was done intentionally,
which, you know, it very well could have been. They said that it was done intentionally to sort
of burn all of what they had and to move on to the next round of campaigns.
Whether that's true or not, it's really hard to decipher.
Ironically, they tweeted the other day a picture that was like, humans are often more stupid than they realize.
Possibly that, you know, they've just got a little bit careless, but it would surprise me.
Like they, you know, they're clearly technical, smart, careless, but it would surprise me. Like they, you know, they're clearly trying to go smart, whatever. So it would make sense if it was
done intentionally. But again, like you never know, like we're all humans and like sometimes
just like, you know, sort of overlook stuff. That's another part that is really interesting
about this. And so based on the information that you all have gathered here, what are your
recommendations for folks to best protect themselves?
Yeah, so making sure security groups are configured properly, making sure that people's configurations are done correctly.
A lot of the default configs you can't rely on.
Keeping up to date with vulnerabilities is another one.
And also monitoring and blocking malicious traffic.
Our thanks to Tara Gould from Anomaly for joining us.
The research is titled Inside Team TNT's Impressive Arsenal, A Look Into a Team TNT Server. We'll have a link in the show notes. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp, Puru Prakash, Justin
Sebi, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett
Moe, Chris Russell, John Patrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave
Bittner.
Thanks for listening.
We'll see you back here next week.