August 19, 2020
A new crypto-mining worm threatens your AWS credentials
A new crypto-mining worm that steals AWS credentials has been detected just a few days ago, as published on cadosecurity’s website. This worm, operated by a group called “TeamTNT”, is aimed at harming various systems, including Docker and Kubernetes.
While it is the first of its kind, it is certainly not the last, as attackers aim to extend their reach onto on-cloud premises, following the footsteps of organizations.
See below an example to the message received when the worm is first to run:
AWS Credentials Theft is carried out rather simply, using a simple code that uploads the AWS. Credentials and .config files to TeamTNT’s server, which responds with a message. See below an example code to steal AWS credentials.
As most crypto-mining worms contain copies of codes from other worms, TeamTNT’s worm uses code from a worm that attacks to stop Alibaba Cloud Security tools.
This new crypto-mining worm also scans for open Docker API’s and deploys mining tools to gain cash from crypto-currencies.
Using these types of relatively simple attacks, cyber-attackers can harm multiple businesses while attacking them on many fronts.
Suggested precautionary steps to take for safekeeping of AWS credentials:
- When possible, identify systems storing AWS Credentials files and delete;
- Maintain firewall rules to limit access to Docker APIs.
- Ongoing monitoring of network traffic for potentially harmful connections, such as those sending AWS Credentials file over HTTP.
Follow Us on Facebook page for the latest news and insights on cybersecurity.
Stay Safe with TrustNet!