AWS Cryptojacking Worm Spreads Through the Cloud:
A cryptomining worm from the group known as TeamTNT is spreading through the Amazon Web Services (AWS) cloud and collecting credentials. Once the logins are harvested, the malware logs in and deploys the XMRig mining tool to mine Monero cryptocurrency.
According to researchers at Cado Security, the worm also deploys a number of openly available malware and offensive security tools, including "punk.py," a SSH post-exploitation tool; a log cleaning tool; the Diamorphine rootkit; and the Tsunami IRC backdoor.
It is, they said, the first threat observed in the wild that specifically targets AWS for cryptojacking purposes. However, it also carries out more familiar fare.
"The worm also steals local credentials, and scans the internet for misconfigured Docker platforms," according to a Monday posting. "We have seen the attackers...compromise a number of Docker and Kubernetes systems."
[...] Cado researchers suggested that to thwart such attacks, businesses should identify which systems are storing AWS credential files and delete them if they aren't needed. Also, review network traffic for any connections to mining pools or those sending the AWS credentials file over HTTP; and, use firewall rules to limit any access to Docker APIs.
(Score: 2) by Barenflimski on Sunday August 23 2020, @07:51PM (1 child)
Anyone have any idea of some more in depth info on this? Anyone got a link to some code by any chance?
I'd like to understand how this is actually worming its way through. Is this using the Amazon backend/admin servers? Is this using AWS servers that were already hacked? Is this using the AWS scripting functions?
(Score: 2) by Common Joe on Monday August 24 2020, @08:40AM
I wondered the same thing. The article isn't specific enough for my taste. From TFA:
This implies that they already had to have access. The sentence about unencrypted credentials also caught my attention. I know Windows has a way to encrypt files based on the specific hardware it's on. If the file is copied to another computer, it's useless. Is there some equivalent in Linux?
Disclaimer: I haven't worked with AWS