Researchers at Aqua Security found evidence of cyberattacks initiated by the TeamTNT gang. The company marked one of these as a “Kangaroo attack” (a cyberattack known for distributing processing power to crack bitcoin’s encryption). The hacker collective was believed to be “non-active” since 2021, but its sudden appearance hints at a bigger attack.
TeamTNT is a popular threat actor specializing in cloud hacking and was involved in several high-profile cases. In the latest attack, the cloud-native security company discovered that the scripts and malware used by the threat actor resemble TeamTNT. As per reports, the hacker group allegedly stopped services last year with a departing note, but the new series of attacks indicate their return.
Aqua Security shares a report on TeamTNT
On September 15, 2022, Aqua Security reported a series of attacks that used similar patterns as that of TeamTNT. The hacker group emerged as a cloud threat actor in 2020 and targeted cloud environments, including misconfigured Kubernetes clusters, Docker APIs, Kubernetes UI tools, Redis servers, and more.
On November 6, 2021, the hacker collective announced its farewell note via a Twitter post. However, it covertly infected new victims using the old malware as its primary tool. The hacker group was allegedly using scanning and infecting new victims after cybersecurity researchers discovered it. However, many researchers and cybersecurity firms are fixated on whether the new threat actor is indeed TeamTNT.
According to Assaf Morag, lead data analyst at Aqua Security, the company identified three attacks that use various signatures and tools, some of which are associated with TeamTNT. In response to the attacks, the company claimed that it was “certain that this vibrant threat actor has renewed its malicious activity.”
Kangaroo malware attack explained
Kangaroo malware attackers exploit the Elliptic Curve Discrete Logarithm Problem (ECDLP) and use the ECDLP solver to target victims on the Cloud. According to Aqua Security, the attackers scan for a “misconfigured Docker Daemon” on the victim’s systems, then deploys alpine (a vanilla container image).
It runs in a distributed fashion since the “algorithm breaks the key into chunks,” according to Aqua Security. It spreads them to various nodes (attacked servers), which later collect results and can be written in a text file. If a TA (Threat Actor) succeeds in breaking the cryptographic encryption, then it can have a “devastating effect on the entire internet,” reports Aqua Security.