{"id":42659,"date":"2021-05-25T00:00:00","date_gmt":"2021-05-25T00:00:00","guid":{"rendered":"https:\/\/www.trendmicro.com\/en_us\/research\/21\/e\/teamtnt-targets-kubernetes--nearly-50-000-ips-compromised.html"},"modified":"2021-05-25T00:00:00","modified_gmt":"2021-05-25T00:00:00","slug":"teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/","title":{"rendered":"TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack Vulnerability Researcher Threat Researcher"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/teamtnt-targets-kubernetes,-nearly-50,000-ips-compromised-in-a-worm-like-attack\/Team%20TNT%20Kubernetes-641.png\"><!-- Begin mPulse library --><!-- END mPulse library --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"We have found and confirmed close to 50,000 IPs compromised by this attack perpetrated by TeamTNT across multiple clusters. \"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"cloud,research,articles, news, reports,cyber threats\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2021-05-25\"> <meta property=\"article:tag\" content=\"cloud\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/e\/teamtnt-targets-kubernetes--nearly-50-000-ips-compromised.html\"> <title>TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/e\/teamtnt-targets-kubernetes--nearly-50-000-ips-compromised.html\"><br \/>\n<meta property=\"og:title\" content=\"TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack\"><br \/>\n<meta property=\"og:description\" content=\"We have found and confirmed close to 50,000 IPs compromised by this attack perpetrated by TeamTNT across multiple clusters. \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/teamtnt-targets-kubernetes,-nearly-50,000-ips-compromised-in-a-worm-like-attack\/Team%20TNT%20Kubernetes-641.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack\"><br \/>\n<meta name=\"twitter:description\" content=\"We have found and confirmed close to 50,000 IPs compromised by this attack perpetrated by TeamTNT across multiple clusters. \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/teamtnt-targets-kubernetes,-nearly-50,000-ips-compromised-in-a-worm-like-attack\/Team%20TNT%20Kubernetes-641.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"49.697081300064\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"848430119\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"10\">\n<div class=\"article-details\" role=\"heading\" readability=\"40\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cloud<\/p>\n<p class=\"article-details__description\">We have found and confirmed close to 50,000 IPs compromised by this attack perpetrated by TeamTNT across multiple clusters. Several IPs were repeatedly exploited during the timeframe of the episode, occurring between March and May. <\/p>\n<p class=\"article-details__author-by\">By: Magno Logan, David Fiser <time class=\"article-details__date\">May 25, 2021<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"37.882252559727\">\n<div readability=\"23.017064846416\">\n<p><a href=\"https:\/\/kubernetes.io\/docs\/setup\/production-environment\/tools\/kubeadm\/install-kubeadm\/\" target=\"_blank\" rel=\"noopener\">Kubernetes<\/a> is the most widely adopted container orchestration platform for automating the deployment, scaling, and management of containerized applications. Unfortunately, like any widely used application, it makes for an attractive target for threat actors as they are often misconfigured, especially those running primarily in cloud environments with access to nearly infinite resources. This article will discuss how TeamTNT \u2014 which we have <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/l\/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html\">discussed extensively<\/a> in <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/c\/teamtnt-continues-attack-on-the-cloud--targets-aws-credentials.html\">previous articles <\/a>&nbsp;\u2014 has been scanning for and compromising Kubernetes clusters in the wild.<\/p>\n<p>We have found and confirmed close to 50,000 IPs compromised by this attack perpetrated by TeamTNT across multiple clusters. Several IPs were repeatedly exploited during the timeframe of the episode, occurring between March and May. Most of the compromised nodes were from China and the US \u2014 identified in the ISP (Internet Service Provider) list, which had Chinese and US-based providers as the highest hits, including some CSPs (Cloud Service Providers).&nbsp; It should be noted the numbers reflect the likelihood of significantly more clusters in operation for the US and China than many other countries.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/teamtnt-targets-kubernetes,-nearly-50,000-ips-compromised-in-a-worm-like-attack\/Team%20TNT%20Kubernetes-1.jpg\" alt=\"Figure 1. The percentage of servers compromised per country. China and the United States make up most of the compromised IPs.\"><figcaption>Figure 1. The percentage of servers compromised per country. China and the United States make up most of the compromised IPs.<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<p>By analyzing data belonging to a few TeamTNT servers, we discovered the tools and techniques used by the group for this campaign.<\/p>\n<p><span class=\"body-subhead-title\">How a Kubernetes cluster is compromised<\/span><\/p>\n<p>This section will analyze one of the scripts we have collected from this threat actor that targets Kubernetes clusters. We collected one of the files from their server, named kube.lateral.sh, that had a low detection rate in VirusTotal at the time of writing. We break down what this script does and how it does it.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/teamtnt-targets-kubernetes,-nearly-50,000-ips-compromised-in-a-worm-like-attack\/Team%20TNT%20Kubernetes-2.jpg\" alt=\"Figure 2. VirusTotal detections for kube.lateral.sh verified on April 24, 2021 (top) and May 5, 2021 (bottom)\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/teamtnt-targets-kubernetes,-nearly-50,000-ips-compromised-in-a-worm-like-attack\/Team%20TNT%20Kubernetes-3.jpg\" alt=\"Figure 2. VirusTotal detections for kube.lateral.sh verified on April 24, 2021 (top) and May 5, 2021 (bottom)\"><figcaption>Figure 2. VirusTotal detections for kube.lateral.sh verified on April 24, 2021 (top) and May 5, 2021 (bottom)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"46.339191564148\">\n<div readability=\"38.451669595782\">\n<h2><span class=\"body-subhead-title\">Setting up the environment<\/span><\/h2>\n<p>TeamTNT\u2019s first order of business is to disable the bash history on the target host and define environment variables for their command and control (C&amp;C) server, such as the script to install the crypto miner later and the binary of the XMRig Monero miner. Then a folder is created inside <i>\/tmp <\/i>using <i>$RANDOM<\/i> three times, generating a sequence of random numbers \u2014 for example, 132963764049, 64049520243 and 55772468520243. User and system architecture information is gathered using <i>whoami<\/i> and <i>uname \u2013m <\/i>which are stored in environment variables to be used later.<\/p>\n<p>The script also installs two free, open-source tools available from GitHub, the network scanning tool <a href=\"https:\/\/github.com\/robertdavidgraham\/masscan\" target=\"_blank\" rel=\"noopener\">masscan<\/a> \u2014 developed in C \u2014 and the banner-grabbing, deprecated <a href=\"https:\/\/github.com\/zmap\/zgrab\" target=\"_blank\" rel=\"noopener\">Zgrab<\/a> \u2014 developed in Go. The new version Zgrab2 is also open source and available on GitHub but is not installed with the script.&nbsp;<\/p>\n<h2><span class=\"body-subhead-title\">Downloading and installing the IRC Bot<\/span><\/h2>\n<p>The script has a large base64 encoded code block to install their IRC bot. We decoded, analyzed and discovered that it is written in C and is stored on the <i>\/tmp<\/i> folder under the name <b>kube.c<\/b> to avoid suspicion. The bot code is compiled with Gnu Compiler Collection (GCC) and removed after compiling completes. The resulting<i> <\/i>binary generated is then moved to the <i>\/root<\/i> folder and renamed to kube as the code below illustrates:<\/p>\n<p><span class=\"blockquote\"><i>&#8220;BASE64 ENCODED KUBE.C CODE HERE&#8221; | base64 -d &gt; \/var\/tmp\/kube.c<\/i><\/span><\/p>\n<p><span class=\"blockquote\"><i>cd \/var\/tmp\/; gcc -o \/var\/tmp\/kube \/var\/tmp\/kube.c &amp;&amp; rm -f \/var\/tmp\/kube.c<\/i><\/span><\/p>\n<p><span class=\"blockquote\"><i>mv \/var\/tmp\/kube \/root\/.kube &amp;&amp; chmod +x \/root\/.kube &amp;&amp; \/root\/.kube<\/i><\/span><\/p>\n<p>The IRC bot, also written in C, is based on another famous IRC bot called<a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/news\/internet-of-things\/caught-in-the-crossfire-defending-devices-from-battling-botnets\"> Kaiten<\/a>. Similar code for these bots are also available on <a href=\"https:\/\/github.com\/shipcod3\/IRC-Bot-Hunters\/blob\/master\/malicious_samples\/kaiten.c\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/teamtnt-targets-kubernetes,-nearly-50,000-ips-compromised-in-a-worm-like-attack\/Team%20TNT%20Kubernetes-4.jpg\" alt=\"Figure 3. Code to install the IRC bot named kube.c.\"><figcaption>Figure 3. Code to install the IRC bot named kube.c.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<h2><span class=\"body-subhead-title\">Pwning and cryptojacking Kubernetes pods<\/span><\/h2>\n<p>In the last part of the script, we can see a function \u2014 kube_pwn() \u2014 being declared, just like in the image shown below. As seen from the code, the kube_pwn function uses Masscan to check any hosts with port 10250 open.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/teamtnt-targets-kubernetes,-nearly-50,000-ips-compromised-in-a-worm-like-attack\/Team%20TNT%20Kubernetes-5.jpg\" alt=\"Figure 4. Code showing how the kube_pwn function uses Masscan to check for hosts with the port 10250 open.\"><figcaption>Figure 4. Code showing how the kube_pwn function uses Masscan to check for hosts with the port 10250 open.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"44.048086359176\">\n<div readability=\"36.550539744848\">\n<h2><span class=\"body-subhead-title\">Kubelets<\/span><\/h2>\n<p>Those familiar with Kubernetes will know that this port belongs to the <a href=\"https:\/\/kubernetes.io\/docs\/reference\/command-line-tools-reference\/kubelet\/#:~:text=The%20kubelet%20is%20the%20primary,object%20that%20describes%20a%20pod.\" target=\"_blank\" rel=\"noopener\">kubelet<\/a> API, and by default, it is open on all nodes of a cluster, including the control plane and worker nodes. And that is one of the essential first security hardening changes you should make on an operational K8s cluster. Kubelet is the agent that runs on each node and ensures that all containers are running in a pod. It is also the agent that is responsible for <u>any<\/u> configuration changes on the nodes. Although it is not on the <a href=\"https:\/\/kubernetes.io\/docs\/concepts\/overview\/components\/\" target=\"_blank\" rel=\"noopener\">main Kubernetes architecture diagram<\/a>, even the control plane node has a kubelet (and a kube-proxy) agent running if a user wants to run other pods there. However, it is not considered a best practice to run your application pods on the control plane as it affords attackers the opportunity to own the cluster as we see here.<\/p>\n<p>There are three critical factors for kubelet security settings:<\/p>\n<p>1. Enabling Kubelet authentication. According to the Kubernetes documentation requests to the kubelet\u2019s API endpoint, which are not blocked by other authentication methods, are treated as anonymous requests by default. Please make sure you start the kubelets with the &#8211;anonymous-auth=false flag and disable anonymous access. For more information check the <a href=\"https:\/\/kubernetes.io\/docs\/reference\/command-line-tools-reference\/kubelet-authentication-authorization\/#kubelet-authentication\" target=\"_blank\" rel=\"noopener\">Kubernetes official recommendations on Kubelet authentication<\/a>.<\/p>\n<p>2. Restricting kubelet permissions to prevent attackers from reading kubelet credentials after breaking out of the container to perform malicious actions.<\/p>\n<p>3. Rotating the kubelet certificates on the chance a compromise occurs, the certs are short-lived and potential impact is reduced.&nbsp;<\/p>\n<p>According to the documentation for Kubernetes <a href=\"https:\/\/kubernetes.io\/docs\/setup\/production-environment\/tools\/kubeadm\/install-kubeadm\/\" target=\"_blank\" rel=\"noopener\">installation via kubeadm<\/a>, the ports below are the ones that need to be open for a cluster to work properly. The kubelet API port (10250) should not be exposed to the internet as it is akin to leaving your Docker Daemon API exposed. However, TeamTNT is compromising the kubelet after gaining access to the environment in this specific attack, so they run the scans internally. &nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/teamtnt-targets-kubernetes,-nearly-50,000-ips-compromised-in-a-worm-like-attack\/Team%20TNT%20Kubernetes-6.jpg\" alt=\"Figure 5. Required ports for kubeadm installation. \"><figcaption>Figure 5. Required ports for kubeadm installation. <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>The kubelet API is not well documented; however, we analyzed the Kubernetes code directly to understand what is happening, which is explained in the following sections. First, we looked at the server.go file inside the \/kubelet\/server package. As shown in Figure 5, the first thing the kube_pwn() function does is to get some information from the Kubelet API via the \/runningpods endpoint, filtering the namespace, pod name and container names.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/teamtnt-targets-kubernetes,-nearly-50,000-ips-compromised-in-a-worm-like-attack\/Team%20TNT%20Kubernetes-7.jpg\" alt=\"Figure 6. Kubernetes kubelet API source code analysis. Source: https:\/\/github.com\/kubernetes\/kubernetes\/blob\/master\/pkg\/kubelet\/server\/server.go#L489\"><figcaption>Figure 6. Kubernetes kubelet API source code analysis. Source: https:\/\/github.com\/kubernetes\/kubernetes\/blob\/master\/pkg\/kubelet\/server\/server.go#L489<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40\">\n<div readability=\"25\">\n<h2><span class=\"body-subhead-title\">Crypto jacking (deployed into pods)<\/span><\/h2>\n<p>As we can see from the kubelet server.go code above, the API endpoint \/runningpods does exactly what the endpoint says, it lists the running pods. First, the kube_pwn() function lists all the current running pods inside the node in a JSON format. Then, for each container running on each node, it takes advantage of the \/run endpoint on the kubelet API to run the following commands:<\/p>\n<p>1. Updates the package index of the container.<\/p>\n<p>2. Installs the following packages: bash, wget and curl.<\/p>\n<p>3. Downloads a shell script called setup_xmr.sh from the TeamTNT C&amp;C server and saves it on the tmp folder.<\/p>\n<p>4. Executes the script to start mining for the Monero cryptocurrency.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/teamtnt-targets-kubernetes,-nearly-50,000-ips-compromised-in-a-worm-like-attack\/Team%20TNT%20Kubernetes-8.jpg\" alt=\"Figure 7. Part of the kubelet API Server code from Kubernetes central repository on GitHub. Source: https:\/\/github.com\/kubernetes\/kubernetes\/blob\/master\/pkg\/kubelet\/server\/server.go#L410\"><figcaption>Figure 7. Part of the kubelet API Server code from Kubernetes central repository on GitHub. Source: https:\/\/github.com\/kubernetes\/kubernetes\/blob\/master\/pkg\/kubelet\/server\/server.go#L410<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>To finish this, they run the same kube_pwn() function we analyzed against a series of internal IP ranges looking for new targets to compromise, with similar behavior to a worm.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/teamtnt-targets-kubernetes,-nearly-50,000-ips-compromised-in-a-worm-like-attack\/Team%20TNT%20Kubernetes-9.jpg\" alt=\"Figure 8. A piece of code from the kube.lateral.sh, the file identified on TeamTNT\u2019s C&amp;C server.\"><figcaption>Figure 8. A piece of code from the kube.lateral.sh, the file identified on TeamTNT\u2019s C&amp;C server.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.706179066835\">\n<div readability=\"20.28499369483\">\n<p>According to the new <a href=\"https:\/\/attack.mitre.org\/matrices\/enterprise\/containers\/\">MITRE ATT&amp;CK for Containers<\/a>, Exploit Public-Facing Applications (T1190) is one of the entry points for attackers and could allow them to take over an organization\u2019s cluster via RBAC misconfiguration or a cluster\u2019s vulnerable version.<\/p>\n<p><span class=\"body-subhead-title\">How to secure the Kube API Server<\/span><\/p>\n<p>It is important to ensure that their Kube API Servers are not exposed. A straightforward way to check is by attempting to hit the API server from an external IP. This curl request should be used to check if the API is public-facing or otherwise: \u201ccurl -k https:\/\/API-SERVER-IP:PORT\/api<u>.\u201d<\/u><\/p>\n<p>If there is a response from this curl request, similar to the one shown in Figure 9, then it means that the API is publicly available and is exposed:&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/teamtnt-targets-kubernetes,-nearly-50,000-ips-compromised-in-a-worm-like-attack\/Team%20TNT%20Kubernetes-10.jpg\" alt=\"Figure 9. An example of a response after performing a curl request to check if an API is publicly accessible.\"><figcaption>Figure 9. An example of a response after performing a curl request to check if an API is publicly accessible.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.208413001912\">\n<div class=\"responsive-table-wrap\" readability=\"22.602931803697\">\n<p>Other best practices for protecting Kubernetes deployments can be found in our infosec guide, \u201c<a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/news\/virtualization-and-cloud\/the-basics-of-keeping-your-kubernetes-cluster-secure-part-1\">The Basics of Keeping Kubernetes Clusters Secure.\u201d<\/a><\/p>\n<p>Cloud security solutions such as <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/hybrid-cloud\/cloud-migration-security.html\">Trend Micro Cloud One\u2122<\/a>&nbsp;help enterprises access protection for continuous integration and continuous delivery (CI\/CD) pipelines and applications. The platform includes:<\/p>\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>This campaign is notable because it is the first time, we analyzed published tools from the TeamTNT group. Furthermore, the continued use of crypto-jacking and credential-stealing indicate that these will remain in the threat actor\u2019s primary repertoire of techniques for the near future.<\/p>\n<p>The high number of targets shows that TeamTNT is still expanding its reach (especially in cloud environments) and perhaps infrastructure since the group can monetize a more significant amount from their campaigns with more potential victims. The group\u2019s activities add to the <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/\/security\/news\/virtualization-and-cloud\/guidance-on-kubernetes-threat-modeling\">number of potential threats<\/a> that Kubernetes users face.<\/p>\n<p><span class=\"body-subhead-title\">Indicators of Compromise (IOCs)<\/span><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"1\">\n<tr>\n<td width=\"103\" valign=\"top\">\n<p>File name<\/p>\n<\/td>\n<td width=\"476\" valign=\"top\">\n<p>SHA256<\/p>\n<\/td>\n<td width=\"161\" valign=\"top\">\n<p>Detection name<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"103\" valign=\"top\">\n<p>kube.lateral.sh<\/p>\n<\/td>\n<td width=\"476\" valign=\"top\" readability=\"5\">\n<p>0dc0d5e9d127c8027c0a5ed0ce237ab07d3ef86706d1f8d032bc8f140869c5ea<\/p>\n<\/td>\n<td width=\"161\" valign=\"top\">\n<p>Trojan.SH.YELLOWDYE.A<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/e\/teamtnt-targets-kubernetes--nearly-50-000-ips-compromised.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have found and confirmed close to 50,000 IPs compromised by this attack perpetrated by TeamTNT across multiple clusters. Several IPs were repeatedly exploited during the timeframe of the episode, occurring between March and May. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":42660,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9520,9511,9509],"class_list":["post-42659","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cloud","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack Vulnerability Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack Vulnerability Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-25T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1099\" \/>\n\t<meta property=\"og:image:height\" content=\"712\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack Vulnerability Researcher Threat Researcher\",\"datePublished\":\"2021-05-25T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\\\/\"},\"wordCount\":1695,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cloud\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\\\/\",\"name\":\"TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack Vulnerability Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher.jpg\",\"datePublished\":\"2021-05-25T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher.jpg\",\"width\":1099,\"height\":712},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack Vulnerability Researcher Threat Researcher\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack Vulnerability Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/","og_locale":"en_US","og_type":"article","og_title":"TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack Vulnerability Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-05-25T00:00:00+00:00","og_image":[{"width":1099,"height":712,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack Vulnerability Researcher Threat Researcher","datePublished":"2021-05-25T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/"},"wordCount":1695,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cloud","Trend Micro Research : Cyber Threats","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/","url":"https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/","name":"TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack Vulnerability Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher.jpg","datePublished":"2021-05-25T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher.jpg","width":1099,"height":712},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/teamtnt-targets-kubernetes-nearly-50000-ips-compromised-in-worm-like-attack-vulnerability-researcher-threat-researcher\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack Vulnerability Researcher Threat Researcher"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42659","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=42659"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42659\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/42660"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=42659"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=42659"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=42659"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}