A malicious actor has been linked to a June 2023 cloud credential theft campaign focused on Azure and Google Cloud Platform (GCP) services, marking an expansion of adversary targeting beyond Amazon Web Services (AWS).
Criminal crews with a history of deploying malware to harvest
credentials from Amazon Web Services accounts may be expanding their attention
to organizations using Microsoft Azure and Google Cloud Platform.
These findings come from SentinelOne and Permiso, who say
that "the campaigns bear similarities to tools attributed to the notorious
TeamTNT cryptojacking crew," though they emphasize that "attribution
remains a challenge with script-based tools." They also overlap with an
ongoing TeamTNT campaign revealed by Aqua called Silentbob that utilized a
misconfigured cloud service to drop malware as part of what was said to be a
testing effort, while also linking the SCARLETEEL attack to the threat actor,
citing infrastructure similarities.
More connections
between SCARLETEEL and TeamTNT emerge
The most reliable link is a call from Avigayil Mechtinger on
Sysdig: Avi noted the SCARLETEEL 2.0 campaign used a crypto miner with the same
Monero wallet address. This is pretty convincing evidence that the two
campaigns are linked." The wallet address in question is 43Lfq18TycJHVR3AMews5C9f6SEfenZoQMcrsEeFXZTWcFW9jW7VeCySDm1L9n4d2JEoHjcDpWZFq6QzqN4QGHYZVaALj3U.
There is definitely overlap with some of the infrastructure
used by threats like SCARLETEEL and TeamTNT," Michael Clark, director of
threat research at Sysdig, told the publication. "However, there are also
differences with other observed TTPs (i.e., using dedicated AWS endpoints) that
make it difficult to make accurate attribution to a single threat actor.
0 Comments