Sophisticated Cloud Credential Theft Campaign Targets AWS, Expands to Azure and Google Cloud

 

A cybercriminal group behind a sophisticated cloud-credential stealing and cryptomining campaign has recently expanded its targets beyond Amazon Web Services (AWS) to include Microsoft Azure and Google Cloud Platform (GCP). 

Researchers from SentinelOne and Permiso have been tracking the campaign and have found significant similarities between the tools used in this campaign and those associated with the notorious threat actor known as TeamTNT, who is primarily driven by financial motives.

The campaign’s broader targeting started in June and has been evolving with incremental refinements since December. The recent attacks on Azure and GCP cloud services involve the same core attack scripts used in the AWS campaign. 
However, according to Alex Delamotte, a threat researcher at SentinelOne, the capabilities for Azure and GCP are less developed compared to those for AWS.
TeamTNT is well-known for exploiting cloud misconfigurations and vulnerabilities to target exposed cloud services. Originally focused on cryptomining campaigns, the group has now expanded its activities to include data theft and backdoor deployment. 
Recently, the attackers have been targeting exposed Docker services using modified shell scripts capable of profiling systems, searching for credential files, and exfiltrating them. They also collect environment variable details to identify valuable services for potential future attacks.
The attacker’s toolset works across different cloud service providers and does not show significant

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents

Read the original article: