Threat news: TeamTNT stealing credentials using EC2 Instance Metadata

The Sysdig Threat Research Team has uncovered a new attack by the threat actor TeamTNT, which targets Kubernetes pods to steal AWS credentials through the exploitation of EC2 instance metadata. The attackers gained access by brute-forcing a misconfigured WordPress pod and used a malicious bash script to extract credentials. TeamTNT, known for its focus on cloud platforms like Kubernetes and Docker, previously engaged in cryptocurrency mining and credential theft but has now adopted a strategy leveraging AWS metadata. The attack highlights the risk of excessive permissions, which could facilitate lateral movement within cloud environments. To mitigate such threats, it is advised to use up-to-date security measures, apply multi-factor authentication, and restrict access to metadata where unnecessary. Falco, an open-source runtime threat detection tool, can help detect suspicious activities by leveraging customizable rules, while Sysdig Secure offers pre-configured detection rules to provide additional protection.