fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Crypto-mining Malware Adds Linux Password Stealing Capability

Crypto-mining Malware Adds Linux Password Stealing Capability

The TeamTNT cybercrime group has recently updated its crypto-mining worm with password-stealing capabilities and with an additional network scanner to make it easier to spread to other vulnerable devices.

While known mostly for actively targeting Docker instances to use compromised systems for unauthorized Monero (XMR) mining, the group now shifted their tactics by upgrading their cryptojacking malware to also collect user credentials.

Password stealer and scanning upgrades

As Unit 42 researchers found TeamTNT is hard at work boosting their malware’s capabilities, this time adding memory password scraping capabilities via mimipy (with support for Windows/Linux/macOS) and mimipenguin (Linux support), two open-source Mimikatz equivalents targeting *NIX desktops.

Black-T, as the worm has been named by Unit 42, collects any plaintext passwords it finds in the compromised systems’ memory and delivers them to TeamTNT’s command and control servers.

“This is the first time TeamTnT actors have been witnessed including this type of post-exploitation operation in their TTPs,” Unit 42 Senior Threat Researcher Nathaniel Quist explained in a report published today.

“Similar to the stolen AWS credentials also captured by the TeamTnT actors, these credentials are likely to be used for additional operations targeted against the organization managing the compromised Docker API.”

Password scraping and theft
Password scraping and theft (Unit 42)

Also Read: Free Privacy Policy Compliance Review

The group has also added the zgrab GoLang network scanner to the Black-T crypto-mining worm, the third scanner on top of pnscan and masscan.

The masscan scanner used by Black-T has also been updated to target the 5555 TCP port which might hint at TeamTnT potentially targeting Android devices, although the evidence for this is currently pretty flimsy according to Unit 42.

TeamTNT attack development

The group’s crypto-mining botnet was first seen in May by MalwareHunterTeam and later examined by Trend Micro who discovered its Docker installation targeting affinity.

In August, Cado Security researchers were the first to spot TeamTNT worm’s new AWS credentials stealing feature, making it the first cryptojacking malware with this capability.

Last month, TeamTNT was observed by Intezer in attacks where the group deployed the legitimate Weave Scope open-source tool to map running processes, containers, and hosts on compromised servers, as well as take control of installed applications.

Code used to steal AWS credentials
Code used to steal AWS credentials (Cado Security)

As the researchers found, this allowed them to gain full control of the victim’s cloud infrastructure since Weave Scope integrates with Docker, Kubernetes, Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS).

By combining all these tactics, techniques, and procedures (TTPs), TeamTNT uses its botnet of compromised servers to scan for cloud environments with Kubernetes and Docker installations with exposed APIs with the help of the masscan, pnscan, and/or zgrab network scanners.

Once the malware successfully infects a misconfigured server, it deploys itself in new containers and installs a malicious payload binary which starts mining for Monero (XMR) cryptocurrency.

The latest variants of the Black-T cryptojacking worm will scan infected systems for unencrypted used by AWS CLI to store credentials and config information to steal AWS credentials and, as Unit 42 discovered, will also scrape the memory for plaintext passwords using *NIX Mimikatz equivalents.

Also Read: 8 Simple Ways To Improve Your Website Protection

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us