Threat news: TeamTNT targeting misconfigured kubelet

TeamTNT, a well-known threat actor group, has been targeting cloud and virtual environments like Kubernetes and Docker since 2019, focusing on credential theft and cryptomining. In a recent campaign, they exploited a misconfigured kubelet service in Kubernetes clusters to access pods, download malicious binaries, and execute scripts aimed at stealing AWS credentials and other sensitive data. The attack involved downloading and executing a series of scripts that searched for various credentials, exfiltrating them to TeamTNT's command and control servers. The group is also expanding its focus beyond AWS to other platforms, including GitHub and SSH keys. To mitigate such threats, it is recommended to avoid exposing kubelet services to public networks with anonymous access and to secure credentials properly. Falco, a CNCF incubating project, can help detect these malicious activities in real time by using customizable rules to monitor for anomalies in cloud-native environments.