# TeamTNT Script Employed to Grab AWS Credentials **[cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/](https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/)** September 14, 2021 Blog September 14, 2021 A TeamTNT script has been employed to target a Confluence vulnerability that grabs AWS credentials including those from ECS. [We’ve been tracking TeamTNT since the adversary group was tied back to a crypto-mining](https://www.cadosecurity.com/botnet-deploys-cloud-and-container-attack-techniques/) worm that specifically targeted Kubernetes clusters — the first known worm that contained AWS-specific credential theft functionality. **What We Found** The IP address 3.10.224[.]87 is serving a clever script built by the TeamTNT crew to steal credentials. It steals AWS EC2 and AWS ECS credentials via their meta-data urls (169.254.169.254 for EC2 and 169.254.170.2 for ECS), as well as environment variables from Docker systems: ----- ----- The contents of malicious scripts at https://3.10.224[.]87/.a [This IP address is also being used to attack vulnerable Confluence servers with the recent](https://www.countercraftsec.com/blog/post/cve-2021-26084-payloads-and-oob-interaction/) CVE-2021-26084 exploit: CVE-2021-26084 Exploit code The [backdoor being distributed by the server, however, is well attributed to the Mushtik](https://www.virustotal.com/gui/file/0e574fd30e806fe4298b3cbccb8d1089454f42f52892f87554325cb352646049/community) botnet. Have two different crews hacked the same server and are using it for hosting? Or has Mushtik borrowed some code from TeamTNT? **Indicators of Compromise** 3.10.224[.]87 https://3.10.224[.] 87/.a 0e574fd30e806fe4298b3cbccb8d1089454f42f52892f87554325cb352646049 F22ce94c41d69e539206f6832b046ca21b7d7e0a090918564d20d0ac91045276 54934e404f70b23dc23945a61a9cc511fadeaf97a3e9b6a949b740130e9052bb **Recommendations** Given these findings, we recommend blocking IP address 3.10.224[.]87 to not fall victim. [In addition, in our previous post detailing TeamTNTs techniques from August 2020, we’ve](https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/) provided general recommendations on how to protect against these threats: Identify which systems are storing AWS credential files and delete them if they aren’t needed. It’s common to find development credentials have accidentally been left on production systems. Use firewall rules to limit any access to Docker APIs. We strongly recommend using a allowlisted approach for your firewall ruleset. Review network traffic for any connections to mining pools, or using the Stratum mining protocol. Review any connections sending the AWS Credentials file over HTTP. ----- About The Author Chris Doman [Chris is well known for building the popular threat intelligence portal ThreatCrowd, which](https://www.threatcrowd.org/) [subsequently merged into the AlienVault Open Threat Exchange, later acquired by AT&T.](https://otx.alienvault.com/) Chris is an industry leading threat researcher and has published a number of widely read articles and papers on targeted cyber attacks. His research on topics such as the North Korean government’s [crypto-currency theft schemes, and China’s attacks](https://www.wsj.com/articles/in-north-korea-hackers-mine-cryptocurrency-abroad-1515420004) against dissident websites, have been widely discussed in the media. He has also given interviews to print, [radio and TV such as CNN and BBC News.](https://www.youtube.com/watch?v=z_0oV_hsc08) **About Cado Security** Cado Security provides the cloud investigation platform that empowers security teams to respond to threats at cloud speed. By automating data capture and processing across cloud and container environments, Cado Response effortlessly delivers forensic-level detail and unprecedented context to simplify cloud investigation and response. Backed by Blossom Capital and Ten Eleven Ventures, Cado Security has offices in the United States and United [Kingdom. For more information, please visit https://www.cadosecurity.com/ or follow us on](https://www.cadosecurity.com/) Twitter [@cadosecurity.](https://twitter.com/CadoSecurity) [Prev Post](https://www.cadosecurity.com/azurescape/) [Next Post](https://www.cadosecurity.com/docker-kubernetes-forensics-incident-response/) -----