TeamTNT Strikes Again: A Wake-Up Call to Start Securing Cloud Entitlements

A few days ago, SC magazine published an article reporting that TeamTNT – a hacker group that became notorious about a year ago for targeting the unencrypted credentials of AWS IAM identities – is now targeting 16 more applications, including Google Cloud. If that weren’t bad enough, the new SC report suggests the group is actively using harvested AWS credentials to attack cloud environments. This is in contrast to cado’s research (August 2020), which reported that despite luring the hackers by sending them CanaryTokens.org credentials, the researchers did not see evidence that they were being put to use.

We believe it’s no coincidence that hackers choose to use credentials to attack cloud environments. After all, the easiest way to break into an establishment is to not break in at all: just use the front door key. Cloud APIs are often not protected in a “layered security” approach. Usually, like for AWS, using access keys from anywhere in the world gives you the same permissions as those granted to the identity they belong to.

To understand why this is a game changer, you only need to realize the difference between gaining control of a single workload versus having credentials that may allow you to spin up very powerful EC2s throughout your environment. If a cryptojacker wants to mine bitcoin, the latter is much more effective and speedier in harnessing computing power on its victim’s dime, causing fast and substantial financial damage. Of course, this is just one example of an attacker’s agenda. Potentially the same beachhead into a cloud environment can be used to exfiltrate sensitive data or cause business continuity failures at an opportune time. The cumulative nature of attack techniques

Leave a Comment