Experts in the field of security have raised alarm over the possibility of the notorious TeamTNT group staging a substantial offensive against cloud-native environments. This comes in the wake of observations made by these experts regarding a threat actor searching for misconfigured servers.

Aqua Security, who initiated its investigation after detecting an attack on a honeypot it owned, managed to uncover four malicious container images in the process. Given the fact that some portions of the code remained unutilized, and there were signs of manual testing, it led the researchers to conjecture that the campaign had not yet been fully deployed.

The experts inferred that the infrastructure, still in its nascent stages of testing and deployment, predominantly comprises an aggressive cloud worm. This worm, they explain, is designed to deploy on exposed JupyterLab and Docker APIs for the purpose of deploying Tsunami malware. Additionally, it facilitates cloud credentials hijack, resource hijack, and further propagation of the worm itself.

There’s a strong conviction among the researchers that TeamTNT is orchestrating this new campaign. TeamTNT, a cybercrime group notorious for its aggressive attacks on cloud-based systems, particularly Docker and Kubernetes environments, is known for specializing in cryptomining. However, over time, the group has expanded its malevolent activities.

Despite TeamTNT seemingly halting its operations in late 2021, Aqua Security linked the newly observed campaign to the group through identifying the group’s frequently used Tsunami malware, the use of the dAPIpwn function, and a C2 server that responded in German.

In the experts’ view, the possibility of an “advanced copycat” can’t be completely dismissed. If this were the case, it would have to be an equally sophisticated group capable of mimicking the TeamTNT code, and one that exhibited a “unique sense of humor” and “liking for the Dutch language.”

The emerging threat activity, as observed by Aqua Security, commences when the threat actor identifies a misconfigured Docker API or JupyterLab server and proceeds to deploy a container or interacts with the Command Line Interface (CLI) to detect and identify additional victims.

They noted that this procedure is devised to proliferate the malware to an increasing number of servers. They also highlighted that the secondary payload of this attack includes a cryptominer and a backdoor, with the latter utilizing the Tsunami malware as its preferred weapon.

To help organizations defend against this threat, Aqua Security has provided a list of recommendations.