An Upgraded TeamTNT Botnet
TeamTNT, a cryptocurrency mining botnet that exploits Docker APIs to gain access into victims’ servers. It was first noted by Trend Micro researchers in mid-2020, who detailed it’s activities as it cashes on misconfigured Docker APIs, to get in and install cryptocurrency mining software for earning the coins. System operators using Docker software and leaving its ports open without any authentication are targeted by TeamTNT. They exploit this to get in and are said to be stealing AWS credentials and install their mining software to mint cryptocurrencies. Now, the same researchers have said this botnet was upgraded to steal even the Docker credentials. Also Read- How Cyberattacks on AI and ML Can Have Real-World Consequences While it used AWS credentials for pivoting into the host’s network (individual or a company) and spread to other connected machines to install crypto mining software and earn more. This made the TeamTNT the first such botnet to steal AWS credentials besides earning cryptocurrencies. Now, regarding the new update, Trend Micro’s senior security researcher, Alfredo Oliveira said, Since stealing Docker’s credentials gives it more advantages, he warned the users to set firewalls to limit the port access, besides just setting strong passwords. Closing the dormant ports, and strictly limiting the access to only a few can wave most of the botnet attacks, as we learn from the past.
