[BreachExchange] Thousands of Organizations Targeted Via 'Operation Chimaera'

[Sophia Kingsbury]

https://www.ehackingnews.com/2021/09/thousands-of-organizations-targeted-via.html

TeamTNT hacking group has enhanced its abilities by adding a set of tools
that allow it to target multiple operating systems.

Earlier this week, cybersecurity experts from AT&T Alien Labs published a
report on a new campaign, tracked as Chimaera. According to AT&T
researchers, infection statistics on the command-and-control (C2) server
used in Chimaera suggests that the campaign began on July 25,2021.

TeamTNT was first discovered last year and was related to the installation
of cryptocurrency mining malware on susceptible Docker containers. The
operations of the TeamTNT hacking group have been closely monitored by
security firm Trend Micro, but in August 2020 experts from Cado Security
contributed the more recent discovery of TeamTNT targeting Kubernetes
installations.

Now, the researchers at Alien Labs believe the hacking group is targeting
Windows, AWS, Docker, Kubernetes, and various Linux installations,
including Alpine. Despite the short time period, the latest campaign is
responsible for "thousands of infections globally," the researchers say.

In its latest campaign, TeamTNT is using open-source tools like the port
scanner Masscan, libprocesshider software for executing the TeamTNT bot
from memory, 7z for file decompression, the b374k shell php panel for
system control, and Lazagne.

Lazagne is an open-source application for multiple web operating systems
that are stored on local devices including Chrome, Firefox, Wi-Fi, OpenSSH,
and various database programs. According to Palo Alto Networks, the group
has also added Peirates, a cloud penetration testing toolset in its armory
to target cloud-based apps.

“With these techniques available, TeamTNT actors are increasingly more
capable of gathering enough information in target AWS and Google Cloud
environments to perform additional post-exploitation operations. This could
lead to more cases of lateral movement and potential privilege-escalation
attacks that could ultimately allow TeamTNT actors to acquire
administrative access to an organization’s entire cloud environment,”
according to Palo Alto’s June report.

While now self-armed with the kit necessary to target a wide range of
operating systems, TeamTNT still focuses on cryptocurrency mining. For
example, Windows systems are targeted with the Xmrig miner. A service is
created and a batch file is added to the startup folder to maintain
persistence -- whereas a root payload component is used on vulnerable
Kubernetes systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210913/4d4c305d/attachment.html>