Article 57820 AWS Cryptojacking Worm Spreads through the Cloud

AWS Cryptojacking Worm Spreads through the Cloud

by
Fnord666
from SoylentNews on (#57820)

upstart writes in with an IRC submission:

AWS Cryptojacking Worm Spreads Through the Cloud:

A cryptomining worm from the group known as TeamTNT is spreading through the Amazon Web Services (AWS) cloud and collecting credentials. Once the logins are harvested, the malware logs in and deploys the XMRig mining tool to mine Monero cryptocurrency.

According to researchers at Cado Security, the worm also deploys a number of openly available malware and offensive security tools, including "punk.py," a SSH post-exploitation tool; a log cleaning tool; the Diamorphine rootkit; and the Tsunami IRC backdoor.

It is, they said, the first threat observed in the wild that specifically targets AWS for cryptojacking purposes. However, it also carries out more familiar fare.

"The worm also steals local credentials, and scans the internet for misconfigured Docker platforms," according to a Monday posting. "We have seen the attackers...compromise a number of Docker and Kubernetes systems."

[...] Cado researchers suggested that to thwart such attacks, businesses should identify which systems are storing AWS credential files and delete them if they aren't needed. Also, review network traffic for any connections to mining pools or those sending the AWS credentials file over HTTP; and, use firewall rules to limit any access to Docker APIs.

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments