TeamTNT Strikes Again: A Wake-Up Call to Start Securing Cloud Entitlements

Lior Zatlavi By Lior Zatlavi

Examining the news that TeamTNT is targeting 16 more applications, including Google Cloud.

A few days ago, SC magazine published an article reporting that TeamTNT - a hacker group that became notorious about a year ago for targeting the unencrypted credentials of AWS IAM identities - is now targeting 16 more applications, including Google Cloud. If that weren’t bad enough, the new SC report suggests the group is actively using harvested AWS credentials to attack cloud environments. This is in contrast to cado’s research (August 2020), which reported that despite luring the hackers by sending them CanaryTokens.org credentials, the researchers did not see evidence that they were being put to use.

The easiest way in is through the front door

We believe it’s no coincidence that hackers choose to use credentials to attack cloud environments. After all, the easiest way to break into an establishment is to not break in at all: just use the front door key. Cloud APIs are often not protected in a “layered security” approach. Usually, like for AWS, using access keys from anywhere in the world gives you the same permissions as those granted to the identity they belong to.

To understand why this is a game changer, you only need to realize the difference between gaining control of a single workload versus having credentials that may allow you to spin up very powerful EC2s throughout your environment. If a cryptojacker wants to mine bitcoin, the latter is much more effective and speedier in harnessing computing power on its victim’s dime, causing fast and substantial financial damage. Of course, this is just one example of an attacker’s agenda. Potentially the same beachhead into a cloud environment can be used to exfiltrate sensitive data or cause business continuity failures at an opportune time.

The cumulative nature of attack techniques

As cado noted, attack techniques used by malware tend to have a cumulative nature; the malware that the TeamTNT worm created contains code copied from another piece of malware named Kinsing. It’s reasonable to expect that future malware (or malware currently in the wild and not yet identified) would use TeamTNT’s code to accomplish similar objectives and also harvest cloud credentials. It’s not unreasonable to assume that once this approach proves effective we will start to see more and more versatile techniques in play to discover and compromise cloud credentials for future attacks.

Many security researchers put impressive effort into protecting the environments and workloads where credentials reside from being compromised by malware. This cat-and-mouse game is probably as old as the internet itself, with attackers finding new vulnerabilities and ways to attack, and defenders finding ways to detect, prevent, contain and respond to such tactics -- only for the attackers to evolve their techniques or find new ones.

The problem of misconfigured privileges

We believe it might be easier, and give more bang for the security buck, to look at the problem from another perspective. As we constantly highlight, one of the biggest problems in cloud security today is misconfigured privileges for identities. Working with our clients, we constantly find admin-level credentials almost literally lying around with no use, easy prey to be compromised by malware like TeamTNT’s. It’s also not unusual to find credentials used for only very specific tasks on very specific resources having extremely permissive access - or even full admin privileges. If the fallout from compromising a cloud identity includes a threat actor having access to admin-level rights that don’t even need to exist, the security benefit of eliminating those rights ahead of time is huge. If all identities have only the permissions they require for their business function, based on the principle of least privilege, the damage from a breach such as TeamTNT’s malware hitting your environment is limited.

As we all know, the front line will always be breached. It’s important to continue putting your best effort into winning at the ongoing cyber dominance battle. Yet, the goal of making breaches less damaging cannot, should not, be overlooked - and frequently is.

Trying to minimize potential damage from a cloud data breach may have been avoided as a strategy until now since, historically, achieving least privilege in public cloud infrastructure was always so hard. Doing so requires extremely granular, continuously updated, comprehensive and insightful visibility into both the configuration and activity logs of the cloud environment. Today, with solutions such as Ermetic, over-privileged and inactive identities can be discovered and remediated with extreme ease. So there’s no reason your environment should be kept vulnerable to threats that, as the SC article notes, it will be increasingly presented with.

Monitoring and alerting for suspicious behavior

Detecting identity compromise in time can significantly mitigate the potential harm done by attackers and aid in performing evasive action. Another way to mitigate the risks of credential exposure in your cloud infrastructure is to have rules and procedures that monitor and alert for suspicious behavior. An identity compromised by an attacker is likely to behave in specific ways, such as by performing reconnaissance, escalating privilege, and establishing stealth and evasion. Knowledge of one’s environment and expected behaviors gives the defender a significant advantage. By using deep and broad awareness of permissions and behavior in your cloud infrastructure, it’s possible to identify actions taken by attackers, create alerts for irregular behaviors to trigger a rapid response to any account compromise and carry out an effective investigation.

Secure permissions for cloud identities before you get hit

Leveraging knowledge of one’s environment using cloud service provider native tools or even DIY scripts can be extremely complicated and time consuming - and make such a task seem impossible. It also requires very specialized knowledge that takes years to develop and much attention to maintain and broaden. Tools such as Ermetic provide this kind of analysis out-of-the-box, enabling you to detect such compromises as early as possible and put a stop to them before they cause serious damage.

In a word: We strongly recommend letting this revealing report on TeamTNT’s activity serve as a loud wake up call to anyone using a cloud platform that it’s time to start securing the permissions granted to cloud identities before you get hit.