Home / Companies / Sysdig / Blog / Post Details
Content Deep Dive

Threat news: TeamTNT stealing credentials using EC2 Instance Metadata

Blog post from Sysdig

Post Details
Company
Date Published
Author
Alberto Pellitteri
Word Count
1,559
Company Posts That Month
10
Language
English
Hacker News Points
-
Summary

The Sysdig Threat Research Team has uncovered a new attack by the threat actor TeamTNT, which targets Kubernetes pods to steal AWS credentials through the exploitation of EC2 instance metadata. The attackers gained access by brute-forcing a misconfigured WordPress pod and used a malicious bash script to extract credentials. TeamTNT, known for its focus on cloud platforms like Kubernetes and Docker, previously engaged in cryptocurrency mining and credential theft but has now adopted a strategy leveraging AWS metadata. The attack highlights the risk of excessive permissions, which could facilitate lateral movement within cloud environments. To mitigate such threats, it is advised to use up-to-date security measures, apply multi-factor authentication, and restrict access to metadata where unnecessary. Falco, an open-source runtime threat detection tool, can help detect suspicious activities by leveraging customizable rules, while Sysdig Secure offers pre-configured detection rules to provide additional protection.

Trends Found in this Post
Trend Post Mentions Total Month Mentions Posts Companies MoM
Kubernetes 6 955 163 58 -22%