TeamTNT Script Employed to Grab AWS Credentials


A TeamTNT script has been employed to target a Confluence vulnerability that grabs AWS credentials including those from ECS.

We’ve been tracking TeamTNT since the adversary group was tied back to a crypto-mining worm that specifically targeted Kubernetes clusters — the first known worm that contained AWS-specific credential theft functionality.

What We Found

The IP address 3.10.224[.]87 is serving a clever script built by the TeamTNT crew to steal credentials. It steals AWS EC2 and AWS ECS cr…

Read More