{"id":6129,"date":"2021-05-27T15:47:36","date_gmt":"2021-05-27T15:47:36","guid":{"rendered":"https:\/\/cybersecuritynews.com\/?p=6129"},"modified":"2021-07-02T15:33:34","modified_gmt":"2021-07-02T15:33:34","slug":"kubernetes-clusters-compromised","status":"publish","type":"post","link":"https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/","title":{"rendered":"Over 50,000 Ips Across Multiple Kubernetes Clusters Were Compromised By the TeamTNT Threat Actors"},"content":{"rendered":"\n<p>Researchers from Trend Micro disclosed that close to 50,000 IPs were compromised across multiple Kubernetes clusters in a cryptojacking campaign conducted by the TeamTNT group.<\/p>\n\n\n\n<p><a href=\"https:\/\/kubernetes.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">Kubernetes<\/a>, developed and backed by Google, is one of the most widely adopted container orchestration platforms for automating the deployment, scaling, and management of containerized applications. <\/p>\n\n\n\n<p>It makes an attractive target for threat actors as they are often misconfigured, especially those running primarily in <a href=\"https:\/\/cybersecuritynews.com\/cloud-security-tools\/\" target=\"_blank\" rel=\"noreferrer noopener\">cloud environments<\/a> with access to nearly infinite resources.<\/p>\n\n\n\n<p class=\"has-background\" style=\"background-color:#f7f7f7\">The analysis says, close to 50,000 IPs found compromised by this attack perpetrated by TeamTNT across multiple clusters. More than a few IPs were repeatedly exploited during the timeframe and the majority of the compromised nodes were from China and the US.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>How a <a href=\"https:\/\/cybersecuritynews.com\/kubernetes-container-scanner\/\" target=\"_blank\" rel=\"noreferrer noopener\">Kubernetes<\/a> Cluster is Compromised?<\/strong><\/h3>\n\n\n\n<p>Previously, Trend Micro highlighted that TeamTNT was actively stealing AWS, Docker, and Linux Secure Shell credentials as well waging cryptojacking attacks and placing backdoors &#8211; such as IRC bots and remote shells &#8211; inside Linux devices.<\/p>\n\n\n\n<p class=\"has-background\" style=\"background-color:#f7f7f7\">Researchers at Trend Micro <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/e\/teamtnt-targets-kubernetes--nearly-50-000-ips-compromised.html\" target=\"_blank\" rel=\"noreferrer noopener\">analyzed<\/a> one of the scripts they collected from a TeamTNT server. <em>\u201cTeamTNT at first wanted to disable the bash history on the target host and define environment variables for its command-and-control server, such as the script to install the crypto miner later and the binary of the XMRig Monero miner\u201d, TrendMicro researchers say.<\/em><\/p>\n\n\n\n<p>The script also installs two free, open-source tools available from GitHub, the network scanning tool masscan, developed in C and the banner-grabbing, deprecated Zgrab, developed in Go. The new version Zgrab2 is also open source and available on GitHub but is not installed with the script.<\/p>\n\n\n\n<p>TeamTNT subsequently installs its <a href=\"https:\/\/cybersecuritynews.com\/messaging-apps-bug\/\" target=\"_blank\" rel=\"noreferrer noopener\">Internet Relay Chatbot<\/a>. It is discovered that the IRC bot is written in C and is stored on the \/tmp folder under the name kube.c to avoid suspicion.<\/p>\n\n\n\n<p>The bot code is compiled with Gnu Compiler Collection and removed after compiling completes. The resulting binary generated is then moved to the \/root folder and renamed to kube.<\/p>\n\n\n\n<p class=\"has-background\" style=\"background-color:#f7f7f7\">An IRC bot is a set of scripts or an independent program that connects to Internet Relay Chat as a client, so it appears to other IRC users as another user. The IRC bot used by Team TNT, written in C, is based on another well-known IRC bot called Kaiten. In the last part of the script, a function &#8211; kube_pwn() &#8211; uses Masscan to check any hosts with port 10250 open.<\/p>\n\n\n\n<p><em>\u201cOnce the connection is established, the attackers then use the Masscan port scanner to scan the internal network of the targeted Kubernetes cluster to look for other unsecured or misconfigured Kubelet agents\u201d, reads the analysis published by Trend Micro.<\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Kubelets<\/strong><\/h3>\n\n\n\n<p>This port belongs to the kubelet API, and by default, it is open on all nodes of a cluster, including the control plane and worker nodes. &nbsp;Kubelet is the agent that runs on each node and ensures that all containers are running in a pod. It is also the agent that is responsible for any configuration changes on the nodes.<\/p>\n\n\n\n<p>For each container running on each node, it takes advantage of the \/run <a href=\"https:\/\/cybersecuritynews.com\/endpoint-security-tools\/\">endpoint<\/a> on the kubelet API to run the following commands:<\/p>\n\n\n\n<p>1. Updates the package index of the container.<\/p>\n\n\n\n<p>2. Installs the following packages: bash, wget and curl.<\/p>\n\n\n\n<p>3. Downloads a shell script called setup_xmr.sh from the TeamTNT C&amp;C server and saves it on the tmp folder.<\/p>\n\n\n\n<p>4. Executes the script to start mining for the Monero cryptocurrency.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Final Word<\/strong><\/h4>\n\n\n\n<p>Researchers mention that the constant use of crypto-jacking and credential-stealing point out that these will remain in the threat actor\u2019s primary collection of techniques for the near future.<\/p>\n\n\n\n<p>The high number of targets shows that TeamTNT is still expanding its reach (especially in cloud environments) and perhaps infrastructure since the group can monetize a more significant amount from their campaigns with more potential victims.<\/p>\n\n\n\n<p class=\"has-background\" style=\"background-color:#f2f2f2\"><strong>You can follow us on\u00a0<a rel=\"noreferrer noopener\" href=\"https:\/\/www.linkedin.com\/company\/gbhackers\/\" target=\"_blank\">Linkedin<\/a>,\u00a0<a rel=\"noreferrer noopener\" href=\"https:\/\/twitter.com\/gbhackers_news\" target=\"_blank\">Twitter<\/a>,\u00a0<a rel=\"noreferrer noopener\" href=\"https:\/\/www.facebook.com\/gbhackersadmin\" target=\"_blank\">Facebook<\/a>\u00a0for daily Cybersecurity and hacking news updates.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers from Trend Micro disclosed that close to 50,000 IPs were compromised across multiple Kubernetes clusters in a cryptojacking campaign conducted by the TeamTNT group. Kubernetes, developed and backed by Google, is one of the most widely adopted container orchestration platforms for automating the deployment, scaling, and management of containerized applications. It makes an attractive [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":6131,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/1.bp.blogspot.com\/-F21MBVgR75U\/YK--oTHUqRI\/AAAAAAAANUE\/bn2rI5Xj_rglVEI3w__UIVFdNQVMeuv3QCLcBGAsYHQ\/s16000\/Kubernetes%2BClusters%2BCompromised1.png","fifu_image_alt":"Kubernetes Clusters Compromised","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[10,11,33,48],"tags":[149,266],"class_list":{"0":"post-6129","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-security","8":"category-cyber-security-news","9":"category-malware","10":"category-threats","11":"tag-cyber-security","12":"tag-malware"},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.7.1 (Yoast SEO v25.7) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Over 50,000 Ips Across Multiple Kubernetes Clusters Were Compromised<\/title>\n<meta name=\"description\" content=\"Over 50,000 IPs were compromised across multiple Kubernetes clusters in a cryptojacking campaign conducted by the TeamTNT group.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Over 50,000 Ips Across Multiple Kubernetes Clusters Were Compromised By the TeamTNT Threat Actors\" \/>\n<meta property=\"og:description\" content=\"Over 50,000 IPs were compromised across multiple Kubernetes clusters in a cryptojacking campaign conducted by the TeamTNT group.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/\" \/>\n<meta property=\"og:site_name\" content=\"Cyber Security News\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Hackingtutorialsandnews\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/guruba008\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-27T15:47:36+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-02T15:33:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/1.bp.blogspot.com\/-F21MBVgR75U\/YK--oTHUqRI\/AAAAAAAANUE\/bn2rI5Xj_rglVEI3w__UIVFdNQVMeuv3QCLcBGAsYHQ\/s16000\/Kubernetes%2BClusters%2BCompromised1.png\" \/>\n<meta name=\"author\" content=\"Guru Baran\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/1.bp.blogspot.com\/-F21MBVgR75U\/YK--oTHUqRI\/AAAAAAAANUE\/bn2rI5Xj_rglVEI3w__UIVFdNQVMeuv3QCLcBGAsYHQ\/s16000\/Kubernetes%2BClusters%2BCompromised1.png\" \/>\n<meta name=\"twitter:creator\" content=\"@guruba008\" \/>\n<meta name=\"twitter:site\" content=\"@The_Cyber_News\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Guru Baran\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Over 50,000 Ips Across Multiple Kubernetes Clusters Were Compromised","description":"Over 50,000 IPs were compromised across multiple Kubernetes clusters in a cryptojacking campaign conducted by the TeamTNT group.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/","og_locale":"en_US","og_type":"article","og_title":"Over 50,000 Ips Across Multiple Kubernetes Clusters Were Compromised By the TeamTNT Threat Actors","og_description":"Over 50,000 IPs were compromised across multiple Kubernetes clusters in a cryptojacking campaign conducted by the TeamTNT group.","og_url":"https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/","og_site_name":"Cyber Security News","article_publisher":"https:\/\/www.facebook.com\/Hackingtutorialsandnews","article_author":"https:\/\/www.facebook.com\/guruba008","article_published_time":"2021-05-27T15:47:36+00:00","article_modified_time":"2021-07-02T15:33:34+00:00","og_image":[{"url":"https:\/\/1.bp.blogspot.com\/-F21MBVgR75U\/YK--oTHUqRI\/AAAAAAAANUE\/bn2rI5Xj_rglVEI3w__UIVFdNQVMeuv3QCLcBGAsYHQ\/s16000\/Kubernetes%2BClusters%2BCompromised1.png","type":"","width":"","height":""}],"author":"Guru Baran","twitter_card":"summary_large_image","twitter_image":"https:\/\/1.bp.blogspot.com\/-F21MBVgR75U\/YK--oTHUqRI\/AAAAAAAANUE\/bn2rI5Xj_rglVEI3w__UIVFdNQVMeuv3QCLcBGAsYHQ\/s16000\/Kubernetes%2BClusters%2BCompromised1.png","twitter_creator":"@guruba008","twitter_site":"@The_Cyber_News","twitter_misc":{"Written by":"Guru Baran","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"NewsArticle","@id":"https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/#article","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/"},"author":{"name":"Guru Baran","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/f7f138f8fd41a61bb60151da47730026"},"headline":"Over 50,000 Ips Across Multiple Kubernetes Clusters Were Compromised By the TeamTNT Threat Actors","datePublished":"2021-05-27T15:47:36+00:00","dateModified":"2021-07-02T15:33:34+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/"},"wordCount":663,"publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"image":{"@id":"https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/#primaryimage"},"thumbnailUrl":"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-F21MBVgR75U\/YK--oTHUqRI\/AAAAAAAANUE\/bn2rI5Xj_rglVEI3w__UIVFdNQVMeuv3QCLcBGAsYHQ\/s16000\/Kubernetes%2BClusters%2BCompromised1.png?w=728&resize=728,380&ssl=1","keywords":["cyber security","malware"],"articleSection":["Cyber Security","Cyber Security News","Malware","Threats"],"inLanguage":"en-US","copyrightYear":"2021","copyrightHolder":{"@id":"https:\/\/cybersecuritynews.com\/#organization"}},{"@type":"WebPage","@id":"https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/","url":"https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/","name":"Over 50,000 Ips Across Multiple Kubernetes Clusters Were Compromised","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/#primaryimage"},"image":{"@id":"https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/#primaryimage"},"thumbnailUrl":"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-F21MBVgR75U\/YK--oTHUqRI\/AAAAAAAANUE\/bn2rI5Xj_rglVEI3w__UIVFdNQVMeuv3QCLcBGAsYHQ\/s16000\/Kubernetes%2BClusters%2BCompromised1.png?w=728&resize=728,380&ssl=1","datePublished":"2021-05-27T15:47:36+00:00","dateModified":"2021-07-02T15:33:34+00:00","description":"Over 50,000 IPs were compromised across multiple Kubernetes clusters in a cryptojacking campaign conducted by the TeamTNT group.","breadcrumb":{"@id":"https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/#primaryimage","url":"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-F21MBVgR75U\/YK--oTHUqRI\/AAAAAAAANUE\/bn2rI5Xj_rglVEI3w__UIVFdNQVMeuv3QCLcBGAsYHQ\/s16000\/Kubernetes%2BClusters%2BCompromised1.png?w=728&resize=728,380&ssl=1","contentUrl":"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-F21MBVgR75U\/YK--oTHUqRI\/AAAAAAAANUE\/bn2rI5Xj_rglVEI3w__UIVFdNQVMeuv3QCLcBGAsYHQ\/s16000\/Kubernetes%2BClusters%2BCompromised1.png?w=728&resize=728,380&ssl=1","width":"728","height":"380","caption":"Kubernetes Clusters Compromised"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecuritynews.com\/kubernetes-clusters-compromised\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cybersecuritynews.com\/"},{"@type":"ListItem","position":2,"name":"Over 50,000 Ips Across Multiple Kubernetes Clusters Were Compromised By the TeamTNT Threat Actors"}]},{"@type":"WebSite","@id":"https:\/\/cybersecuritynews.com\/#website","url":"https:\/\/cybersecuritynews.com\/","name":"Cyber Security News","description":"World&#039;s #1 Premier Cybersecurity and Hacking News Portal","publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecuritynews.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cybersecuritynews.com\/#organization","name":"Cyber Security News","url":"https:\/\/cybersecuritynews.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/","url":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","contentUrl":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","width":200,"height":200,"caption":"Cyber Security News"},"image":{"@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Hackingtutorialsandnews","https:\/\/x.com\/The_Cyber_News","https:\/\/www.linkedin.com\/company\/cybersecurity-news\/"]},{"@type":"Person","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/f7f138f8fd41a61bb60151da47730026","name":"Guru Baran","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/72f86da0bb72b6886d25f0ef0c881daba3a98356bc44f916f8d3a62c9e856579?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/72f86da0bb72b6886d25f0ef0c881daba3a98356bc44f916f8d3a62c9e856579?s=96&d=mm&r=g","caption":"Guru Baran"},"description":"Gurubaran is the Co-Founder and Editor-in-Chief of CyberSecurityNews.com, specializing in vulnerability analysis, malware research, ransomware, and computer forensics.","sameAs":["https:\/\/cybersecuritynews.com","https:\/\/www.facebook.com\/guruba008","https:\/\/www.linkedin.com\/in\/gurubaran-cyberwrites\/","https:\/\/x.com\/guruba008"],"url":"https:\/\/cybersecuritynews.com\/author\/guru\/"}]}},"jetpack_featured_media_url":"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-F21MBVgR75U\/YK--oTHUqRI\/AAAAAAAANUE\/bn2rI5Xj_rglVEI3w__UIVFdNQVMeuv3QCLcBGAsYHQ\/s16000\/Kubernetes%2BClusters%2BCompromised1.png?w=728&resize=728,380&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/6129","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/comments?post=6129"}],"version-history":[{"count":1,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/6129\/revisions"}],"predecessor-version":[{"id":6130,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/6129\/revisions\/6130"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media\/6131"}],"wp:attachment":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media?parent=6129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/categories?post=6129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/tags?post=6129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}