TeamTNT: Explosive Cryptomining

Team TNT is a major threat actor targeting the Linux environment with a focus on crypto jacking. They use open source tools and are active in responding to researchers.

• Team TNT targets Linux environment with a focus on crypto jacking
• They use open source tools and are active in responding to researchers
• They have added lib process hider and expanded their credential stealing capabilities
• They have targeted cloud instances in Asia, mainly Tencent, Alibaba, and Amazon
• They have shifted and added to their attack chain, focusing on Docker and Kubernetes
• They released a copyright header to tag their own files and prevent copycats

Team TNT is known for their active engagement with researchers and their use of open source tools. They have even responded to researchers who have misinterpreted their findings. They released a copyright header to tag their own files and prevent copycats from using their scripts. Their focus on crypto jacking has made them a major threat actor in the Linux environment, targeting cloud instances in Asia and using tools like lib process hider and credential stealing capabilities. They have shifted and added to their attack chain, focusing on Docker and Kubernetes. Their use of open source tools highlights the importance of defenders being aware of the tools available to attackers and how they can be used.

Since the introduction of Amazon Web Services (AWS) there has been a steady migration from on-premise to cloud deployments. Misconfigured cloud services can be low-hanging fruit for an attacker. Palo Alto Networks found that Docker services were attacked about every 90 minutes during the Spring of 2021. Of these attacks, around 76% were by cryptojacking threat actors, one of the most active in this field being TeamTNT.TeamTNT is one of the predominant cryptojacking threat actors currently targeting Linux servers. This session will present the threat actor's activity and their Tactics, Techniques and Procedures (TTPs) throughout their different campaigns. The first public report on TeamTNT was published in May 2020 by Trend Micro and covered attacks against servers running exposed Docker instances. While this is early activity, it is not the earliest that can be attributed to the threat actor. Based on our findings, we can conclude that they have been active since the Fall of 2019, which was six months before the initial report on the threat actor's activity. While TeamTNT is mainly known for compromising Kubernetes clusters and servers running Docker, this session will also highlight campaigns against servers running Redis and Windows.The threat actor maintains a public persona on Twitter. In addition to some of the technical details, this session will present the threat actor's social media activity and how they are uniquely interacting with the security research community.The session and the accompanying whitepaper will provide defenders with all information needed to better protect and detect attacks by this threat actor. The whole toolset will be presented, including: scripts, DDoS malware, backdoors, and rootkits.