A newly discovered strain of malware, dubbed Hildegaard, points to an imminent campaign of cyber attacks against Kubernetes clusters by the cloud-centric TeamTNT cyber crime gang, according to researchers on Palo Alto Networks’ Unit 42 team.
Hildegaard was first spotted in January 2021, and its infrastructure appears to have been online for only a little longer than that, with its command and control (C2) domain only registered on Christmas Eve 2020.
In the initially detected incident, Unit 42 said that the group gained initial access via a misconfigured kubelet that allowed anonymous access. Once they had gained a foothold in the target Kubernetes cluster, the malware attempted to spread over multiple containers to launch cryptojacking operations, draining system resources, causing denial of service, and disrupting the applications running in the compromised cluster.
“There has not been any activity since our initial detection, which indicates the threat campaign may still be in the reconnaissance and weaponisation stage. However, knowing this malware’s capabilities and target environments, we have good reason to believe that the group will soon launch a larger-scale attack,” said the Unit 42 researchers in a disclosure blog.
“The malware can leverage the abundant computing resources in Kubernetes environments for cryptojacking and potentially exfiltrate sensitive data from tens to thousands of applications running in the clusters.”
The researchers said this was the first time TeamTNT has been seen targeting Kubernetes environments, and their new malware carries several new features to make it stealthier and more persistent – among other things, it has multiple ways of establishing C2 connections, hides its activity “behind” a legitimate and easily-overlooked Linus kernel process, and encrypts its malicious payload inside a binary to make automated static analysis harder.
“This new TeamTNT malware campaign is one of the most complicated attacks targeting Kubernetes. This is also the most feature-rich malware we have seen from TeamTNT so far,” the team said. “In particular, the threat actor has developed more sophisticated tactics for initial access, execution, defence evasion and C2. These efforts make the malware more stealthy and persistent.”
The team suspects that TeamTNT has turned its attention to Kubernetes because, unlike a Docker engine which runs on a single host, a Kubernetes cluster will typically hold more than one host, each of which can run multiple containers. This means that hijacking a Kubernetes cluster for cryptomining works out much more profitable than hijacking a Docker host.
Existing Palo Alto customers who run its Prisma Cloud service are already protected from Hildegaard by its runtime protection, cryptominer detection and Kubernetes security features.
More information on this emerging malware, including more in-depth details of TeamTNT’s tactics, techniques and procedures, and specific indicators of compromise can be read here.
The TeamTNT group first emerged in 2020 and made a name for itself targeting badly secured and misconfigured Docker hosts and exploiting them for cryptomining activities.
Since then, the gang has refined its abilities somewhat, and is now actively stealing credentials for both Docker and Amazon Web Services, as detailed in a recent Trend Micro report.