Security News > 2023 > July > Infosec watchers: TeamTNT crew may blast holes in Azure, Google Cloud users
A criminal crew with a history of deploying malware to harvest credentials from Amazon Web Services accounts may expand its attention to organizations using Microsoft Azure and Google Cloud Platform.
The crooks used to target primarily AWS users, and now seem to be looking for ways into Azure and Google Cloud accounts.
According a write-up last year from Elastic Security Labs, 33 percent of cyberattacks in the cloud use stolen credentials, something TeamTNT is known for.
Those updates have brought in support for obtaining Azure and Google Cloud credentials, made the scripts more modular to achieve more complex attacks, improved the credential harvesting, and brought in the curl command-line tool to exfiltrate data.
The work SentinelLabs and Permiso echoes what Aqua uncovered earlier this month in connection with a "Potentially massive campaign against cloud native environments" that researchers Ofek Itach and Assaf Morag laid at the feet of TeamTNT or a group using the same techniques.
They described the Silentbob campaign as an "Aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials hijack, resource hijack and further infestation of the worm."
News URL
https://go.theregister.com/feed/www.theregister.com/2023/07/15/teamtnt_aws_azure_google/
Related news
- Google Cloud Strengthens Backup Service With Untouchable Vaults (source)
- Google Cloud Document AI flaw (still) allows data theft despite bounty payout (source)
- Cloud storage lockers from Microsoft and Google used to store and spread state-sponsored malware (source)
- Azure domains and Google abused to spread disinformation and malware (source)