Cloudy with a chance of credentials - AWS-targeting cred stealer expands to Azure, GCP
July 2023 by SentinelLabs
SentinelLabs worked with the Permiso Security threat research team to track and analyse files related to a new incarnation of this campaign targeting exposed Docker services. In December 2022, Permiso reported about a cloud credential stealer campaign targeting primarily Amazon Web Services (AWS) credentials from public-facing Jupyter Notebooks services, with bad actors likely accessing these impacted services through unpatched web application vulnerabilities.
Since the December campaign, the actor has made several updates to how their tooling works, and also no longer hosts files in an open directory, which complicates efforts to track and analyse these campaigns. Additionally, the hallmark shell scripts remain the core of these campaigns, though SentinelLabs also identified an Executable and Linkable Format (ELF) binary written in Golang.
The December campaign targeted AWS credentials; the most recent campaigns added functions that target credentials from Azure and Google Cloud Platform (GCP), actively modified by the actor throughout June. The actor made the script more modular as it grew larger and more complex, while splitting the AWS functionality into three smaller functions to increase efficiency and enhance the script’s stealth.
The new campaign follows a credentials collection logic that targets a number of services and technologies, such as AWS, Azure, GCP, Docker, Kubernetes, and Linux.
Notably, there is considerable overlap in the targeted files between these credential stealer campaigns and the TeamTNT Kubelet-targeting campaign reported by Sysdig in October 2022.
• Throughout June 2023, an actor behind a cloud credentials stealing campaign has expanded their tooling to target Azure and GCP services. Previously, this actor focused exclusively on AWS credentials.
• Cloud service credentials are increasingly targeted as actors find more ways to profit from compromising such services. This actor targeted exposed Docker instances to deploy a worm-like propagation module.
• These campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew. However, attribution remains challenging with script-based tools, as anyone can adapt the code for their own use.
This campaign demonstrates the evolution of a seasoned cloud actor with familiarity across many technologies. The meticulous attention to detail indicates the actor has clearly experienced plenty of trial and error, shown in choices like serving the curl binary to systems that do not already have it. The actor has also improved the tool’s data formatting to enable more autonomous activity, which demonstrates a certain level of maturity and skill.
While AWS has long been in the crosshairs of many cloud-focused actors, the expansion to Azure and GCP credentials indicates there are other major contenders holding valuable data.
SentinelLabs believes this actor is actively tuning and improving their tools. Based on the tweaks observed across the past several weeks, the actor is likely preparing for larger scale campaigns. The lack of threats explicitly targeting Azure and GCP credentials up to this point means there are likely many fresh targets. The current focus on Docker is ultimately arbitrary: this actor has previously targeted other technologies and there are many other oft-forgotten vulnerable applications.
Organisations can prepare against these attacks by ensuring that applications are configured properly and patched as security fixes become available. Docker access should be restricted to suit your organisation’s needs while reducing exposure from outside connections.