A sophisticated cloud-credential stealing and cryptomining campaign targeting Amazon Web Services (AWS) environments for the past several months has now expanded to Azure and Google Cloud Platform (GCP) as well. And, the tools used in the campaign share considerable overlap with those associated with TeamTNT, a notorious, financially motivated threat actor, researchers have determined.
The broader targeting appears to have begun in June, according to researchers at SentinelOne and Permiso, and is consistent with a continuous series of incremental refinements that the threat actor behind the campaign has been making to it since the series of attacks began in December.
In separate reports highlighting their key takeaways, the firms noted that the attacks targeting Azure and Google’s cloud services involve the same core attack scripts that the threat group behind it has been using in the AWS campaign. However, the Azure and GCP capabilities are very nascent and less developed than the AWS tooling, says Alex Delamotte, threat researcher at SentinelOne.
“The actor only implemented the Azure credential collection module in the more recent — June 24 and newer — attacks,” she says. “The development has been consistent, and we will likely see more tools emerge over the coming weeks with bespoke automations for these environments, should the attacker find them a valuable investment.”