A ransomware group known as TeamTNT has evolved its attack methods to include the exfiltration and extortion of data stored in Amazon Web Services (AWS) S3 buckets. The new attack vector was identified by researchers at cybersecurity firm Cado Security, marking a significant shift in the group’s operations from cryptocurrency mining to data theft.

TeamTNT’s operations now involve actively scanning for and stealing AWS credentials. The group has been observed gaining initial access to cloud environments through misconfigured Kubernetes clusters to locate these credentials.

TeamTNT’s Attack Methodology on S3 Buckets

Once TeamTNT has compromised a system and acquired AWS credentials, their tools automatically scan for accessible S3 buckets. Using the AWS Command Line Interface (CLI), the attackers systematically copy all the data from a victim’s bucket to a server under their control. After the data exfiltration is complete, the group proceeds to delete the original data from the victim’s S3 bucket.

In place of the stolen data, the attackers leave a ransom note. This note demands a payment in Bitcoin in exchange for the return of the exfiltrated information. This entire process demonstrates a clear and direct move into data extortion, leveraging cloud storage as the primary target.

A Strategic Shift from Cryptojacking

Previously, TeamTNT was known primarily for targeting cloud and container environments to install cryptocurrency miners, a practice known as cryptojacking. The group utilized malware, including a tool identified as “Hildegard,” to gain control of systems for this purpose. The latest findings from Cado Security show that the group’s malware now includes modules specifically designed to search for AWS credential files.

This adaptation signifies a strategic change for the group, moving from resource hijacking to the more direct and potentially more lucrative crime of data ransom. By stealing sensitive data and holding it hostage, TeamTNT has added a new layer of threat for organizations utilizing AWS cloud services.

Source: https://www.csoonline.com/article/4094475/ransomware-gangs-find-a-new-hostage-your-aws-s3-buckets.html