Skip to main content
banner image
venafi logo

Hildegard: New TeamTNT Malware Targeting Kubernetes Clusters Propagates Through SSH

Hildegard: New TeamTNT Malware Targeting Kubernetes Clusters Propagates Through SSH

February 17, 2021 | A. Morris

The number of malware campaigns designed to target and propagate through SSH machine identities is growing by the day. Since January this year, a new malware developed by the TeamTNT cybercrime gang is attacking misconfigured Kubernetes clusters. Once initial access is gained, the malware, dubbed Hildegard, attempts to spread over as many containers as possible through SSH and other machine identities and eventually launch a cryptominer.

TeamTNT specializes in attacking the cloud, specifically Docker API servers and Kubernetes instances, and deploying unique and rare credential-stealing worms within AWS using an SSH post-exploitation tool. It is also infamous for abusing the legitimate cloud-monitoring Weave Scope.

How SSH machine identities were used?

TeamTNT’s new malware campaign is targeting Kubernetes clusters via a misconfigured kubelet that allows anonymous access. Once getting a foothold into a Kubernetes cluster, the malware attempts to spread over as many containers as possible by stealing SSH machine identities and using them to propagate to other containers.

Credential Access

Hildegard searches for credential files on the host, as well as queries metadata for cloud-specific credentials. The identified credentials are sent back to the C2.

The searched credentials include:

  • Cloud access keys
  • Cloud access tokens
  • SSH keys
  • Docker credentials
  • Kubernetes service tokens
How can Venafi help?

Using Venafi SSH Protect to manage your SSH machine identities, you can discover all SSH machine identities in the environment, who they belong to and what they are used for. This comprehensive visibility will help you maximize threat detection in encrypted traffic, maintain active control over SSH keys and centralize your machine identity governance and administration.

Once you have a complete inventory of your SSH machine identities, you should map all trust relationships and identify and remove any orphaned and duplicate authorized keys. You should also ensure passphrase protection, key length and algorithms. Furthermore, you should assign ownership of all access granting keys, and monitor and analyze key-based access usage.

Here’s a list of actions you should take to protect your SSH machine identities.

  • Control SSH identities and authorized keys
  • Control SSH configuration files and known hosts files to prevent any tampering
  • Implement clearly defined SSH key management policies
  • Define SSH hardening configurations
  • Create inventory and remediation policy
  • Establish continuous monitoring and audit process
  • Automate the whole process

Further reading:

Are you securing your SSH connections? Get a free assessment with SSH Protect!

Like this blog? We think you will love this.
Featured Blog

All About SSH Key Management and SSH Machine Identities

SSH is a secure way to initiate remote computer access and en

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more