TeamTNT Has Compromised Nearly 50,000 Vulnerable Kubernetes Endpoints

Published on May 26, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

It looks like TeamTNT’s worming attacks are working exceptionally well against misconfigured and vulnerable Kubernetes endpoints, as according to a recent TrendMicro report, the malicious actors have compromised nearly 50,000 of them. Most of the intrusions target Chinese servers, while the United States, France, Germany, the UK, and Canada are also significantly affected. As the researchers report, some of these servers got repeatedly exploited, indicating the automation that goes in the scanning and worm-like spreading of the malware onto vulnerable endpoints.

Source: TrendMicro

TeamTNT appears to be using an executable named ‘kube.lateral.sh’, which is only detected by a fraction of AV engines in VirusTotal, so the chances to raise any red flags are slim. The hackers also disable the bash history on the target host and set up the C2 server communications to accommodate the Monero miner (XMRig) that’s dropped later.

Source: TrendMicro

The script also installs masscan and Zgrab, two off-the-shelf open-source network reconnaissance tools. Masscan is checking for any hosts with port 10250 open, which is left to open by default as part of the kubelet API.

Source: TrendMicro

The malware then lists all the running pods inside the node and then takes advantage of the /run endpoint to execute the following four commands:

  1. Update the package index of the container
  2. Install bash, wget, and curl
  3. Download a shell script called setup_xmr.sh from the C&C server and save it on the tmp folder
  4. Execute the script that starts the mining of Monero

In order to shut the door to TeamTNT’s attacks, you should close port 10250 on operational K8s clusters and protect Kube API servers from exposure. By running “curl -k https://API-SERVER-IP:PORT/api.”, you can check if any of your APIs are public-facing and remediate the issue. Moreover, running cloud security products would be a wise thing for sure.

Only a week ago, we analyzed why ‘TeamTNT’ is now considered a serious threat, having evolved from an “opportunistic actor” status. This latest report about Kubernetes targeting specifically underlines the fact that TeamTNT is targeting a wide scope of vulnerable systems, and with its worm-like attacks, the scale of the compromise is already impressive.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: