Aqua’s Runtime Protection acts as a powerful last line of defense when threats bypass your perimeter controls. In attacks like TeamTNT’s Docker Gatling Gun, Aqua monitors container behavior in real time to detect and stop suspicious activity such as file-less execution or resource hijacking. With flexible policies, you can automatically alert and/or block compromised containers to maintain a secure environment.
Step-by-Step Guide
- Create a Runtime Policy
Log in to the Aqua console and navigate toWorkload Protection>Policies>Runtime Policies. - Enable Runtime Policy
SelectAdd Policyand chooseContainer Runtime Policy
- Enable Runtime Controls
Choose the controls you want toEnablesuch asBlock Fileless Executionand then toggle the Enforcement Mode toAuditorEnforcedepending on your organization’s security policies.
Aqua Runtime policies configured to block Fileless Execution
For more prevention and remediation strategies, including Aqua’s Runtime Protection Policies, visit our Support Portal.
Scripts, Scans, and Shenanigans: The Story of TeamTNT
TeamTNT presents quite a conundrum, a threat actor full of contradictions. On one hand, they demonstrate a wide range of targets, rapid internet-wide scanning capabilities that can identify victims in under an hour, and a deep familiarity with cloud native technologies. On the other hand, they often recycle large portions of code from other sources, rely heavily on offensive open-source tools, and make frequent operational mistakes that either slow down or completely break their attacks. Their strong dependence on automation raises questions about their true nature—are they a cohesive team, or a skilled individual operating under a collective identity?
Widely regarded by the security community as a “pure” cloud native attacker, TeamTNT is known for targeting cloud services and platforms such as Docker, Kubernetes, and Redis. They utilize cloud native offensive tools like Escape Pod and container escape techniques to move laterally across networks. In addition to host compromise, they aim to hijack cloud accounts by harvesting credentials and access tokens, showcasing a hybrid attack model that blends infrastructure exploitation with cloud account takeover.
Their campaigns demonstrate a strong understanding of how to navigate and exploit modern cloud infrastructures, often bridging the gap between cloud and on-prem environments to maximize their impact.
What further distinguishes TeamTNT is their colorful persona: they maintain a unique signature, a public presence on social media, and even a blog hosted on their website. Their messaging blurs the lines between attacker and activist, sometimes portraying themselves as innocent “bystanders” offering unsolicited “security consulting” in exchange for small fees, resource hijacking and data exposure—framing the security community as the villains and themselves as misunderstood heroes. We hope that deep down they don’t believe that.
Don’t wait for an attack to reveal the gaps
Contact your Aqua Sales Representative or Customer Success Manager today to learn how you can strengthen your container security and prevent real-world attacks.
For more detailed information about the Gattling Gun, read our blog: TeamTNT’s Docker Gatling Gun Campaign
