Over 50,000 IPs Across Multiple Kubernetes Clusters Were Compromised by The TeamTNT Threat Actors


Kubernetes is one of the most popular authorized open-sour container-orchestration platforms that is particularly used for automating the implementation, management of containerized applications, and scaling.

Kubernetes is always been among the appealing targets for the risk stars due to the fact that they are constantly misconfigured, especially all those applications that are running primarily in cloud environments together with the access to infinite resources..

The cybersecurity scientists of Trend Micro have just recently discovered a brand-new risk attack in which the Cryptojacking attack group named TeamTNT has jeopardized over 50,000 IPs across numerous Kubernetes Clusters.

How a Kubernetes Cluster is Compromised?


The Kubelet security setting has three crucial factors and here they are mentioned below:-.

Making it possible for Kubelet authentication.
To stop the hazard actors from checking out all the Kubelet data and to perform harmful actions the experts have restricted the kubelet consents.
The short-term certs have all potential impact and were minimized after rotating the Kubelet certificates, as the experts believed that a chance of compromise may take place.

After a long investigation, the scientists at Trend Micro security have actually luckily gathered a file from the servers of the hazard stars. The file called kube.lateral.sh, based on the professionals this file has an extremely low detection rate in VirusTotal.

You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity and hacking news updates.

This, the specialists saw the function kube_pwn() on the last part of the script. This function utilizes Masscan to see whether any hosts are open with port 10250 or not.

Kubelets is not assessed as one of the finest methods that must run in application pods on the control aircraft and nodes of a cluster. Kubelet is one of the agents that particularly operates on every node to guarantee that each container is being organized in a Pod.


For setting the environment, the hackers initially disable the celebration history of the host they have actually targeted. The scripts were generally utilized to install the crypto miner later on as well as the binary of the XMRig Monero miner.

Initially updates the package index that exists in the container.
After that sets up the mentioned bundles: celebration, get, and curl.
When made with the setup process, now, downloads a shell script that is called setup_xmr. sh from the C&C server of TeamTNT, and after that waits on the tmp folder.
Now to start mining the Monero cryptocurrency, it will perform the script.

The tools were the network scanning tool masscan which is being established in C, and another one is the banner-grabbing, deprecated Zgra that is developed in Go.

One can easily examine from an external IP by striking on the API server, as doing so will show you if the API is exposed or not.

These scripts have a big base64 encoded code block, that helps the hackers to install the IRC bot, and it is composed in C, which is particularly based on a famous IRC bot called Kaiten.

For the threat stars Exploit Public-Facing Applications (T1190) is one of the entry points, because, through the RBAC misconfiguration or a clusters susceptible variation it enables the opponents to take control of a cluster of any company.

The targets are increasing, as this is not the very first case of Cryptohijacking, and thats why the experts are trying their finest to keep an eye on the attacks properly.


Whichs why here we have discussed the commands below:-.

As we said above regarding the kube_pwn() function, it lists all the existing pods that are being run inside the node in a JSON format. Nevertheless, to run some commands the pods take benefit of the/ run endpoint that is present on the kubelet API.