Malware Targets Kubernetes ClustersResearchers: 'Hildegard' Linked to TeamTNT Hacking Group
A previously undocumented malware variant called "Hildegard" is targeting Kubernetes clusters, Palo Alto Networks' Unit 42 reports.
The malware is likely the work of a hacking group known as TeamTNT, which targets cloud and container infrastructures to mine for monero cryptocurrency. Earlier, Unit 42 found the hackers had deployed malicious code that targeted exposed Docker daemon APIs to perform scanning and cryptojacking operations (see: Cryptojacker Targets Exposed Docker Daemon APIs).
The Unit 42 researchers believe the new Hildegard malware has only been active since early January and is still under development. The malicious code appears to have the potential to conduct a large-scale operation, including stealing data from potential victims, the report notes.
"There has not been any activity since our initial detection, which indicates the threat campaign may still be in the reconnaissance and weaponization stage," the Unit 42 researchers note. "However, knowing this malware's capabilities and target environments, we have good reason to believe that the group will soon launch a larger-scale attack. The malware can leverage the abundant computing resources in Kubernetes environments for cryptojacking and potentially exfiltrate sensitive data from tens to thousands of applications running in the clusters."
The researchers first spotted the malware targeting Kubernetes clusters on Jan. 21.
The attacks begin with the malware targeting misconfigured or unsecured Kubelet agents that run on each node in the container cluster. These agents make sure that containers are running in a "pod" and can receive commands and instructions from the Kubernetes API server.
After the initial attack, the malware performs a remote code execution task and then downloads tmate, legitimate software that creates a secure terminal sharing connection over SSH or Secure Shell network protocol, according to the report.
Once the connection is established, the attackers then use the Masscan port scanner to scan the internal network of the targeted Kubernetes cluster to look for other unsecured or misconfigured Kubelet agents. From there, the malware deploys a cryptomining script and starts mining for monero, the Unit 42 researchers note.
The report notes that these attacks have been limited so far, with one crypto wallet associated with the TeamTNT attacks listing only $1,500 in monero.
"Unlike a Docker engine that runs on a single host, a Kubernetes cluster typically contains more than one host, and every host can run multiple containers," according to the researchers. "Given the abundant resources in a Kubernetes infrastructure, a hijacked Kubernetes cluster can be more profitable than a hijacked Docker host."
The Hildegard malware has similar techniques and domains as previous malware attacks associated with TeamTNT, the researchers say.
Hildegard uses two methods to connect to its command-and-control server, which helps it avoid detection by security tools. The malware also encrypts its malicious payload inside a binary that makes a full analysis more difficult, according to Unit 42
Jack Mannino, CEO of security firm nVisium, notes that the use of misconfigurations and weaknesses within the Kubelet agents is an effective way for hackers to gain persistence across Kubernetes clusters.
"As more production workloads move to cloud-native [environments], … securing clusters, software development pipelines and cloud architectures becomes incredibly difficult, as the attack surface significantly expands," Mannino says.
The TeamTNT gang was spotted in early 2020 by security firm Trend Micro.
In August 2020, security firm Cado found that Team TNT deployed a cryptomining botnet that would also steal Amazon Web Services user credentials (see: Cryptomining Botnet Steals AWS Credentials ).