TeamTNT hackers target your poorly configured Docker servers


Poorly configured Docker servers and being actively focused by the TeamTNT hacking group in an ongoing marketing campaign began final month.

In line with a report by researchers at TrendMicro, the actors have three distinct objectives: to put in Monero cryptominers, scan for different susceptible Web-exposed Docker situations, and carry out container-to-host escapes to entry the primary community.

As illustrated in an assault workflow, the assault begins with making a container on the susceptible host utilizing an uncovered Docker REST API.

TeamTNT Docker abuse workflow
TeamTNT Docker abuse workflow
Supply: TrendMicro

TeamTNT then makes use of compromised, or actor-controlled Docker Hub accounts to host malicious photos and deploy them on a focused host.

TrendMicro has seen over 150,000 pulls of photos from the malicious Docker Hub accounts as a part of this marketing campaign.

Subsequent, the dropped container executes cronjobs and fetches numerous post-exploitation and lateral motion instruments, together with container escaping scripts, credential stealers, and cryptocurrency miners.

When scanning for different susceptible situations, the menace actors test ports 2375, 2376, 2377, 4243, 4244, which has been noticed in previous DDoS botnet campaigns.

The actors additionally try to gather server information such because the OS kind, structure, variety of CPU cores, container registry, and the present swarm participation standing.

The container picture that’s created is predicated on the AlpineOS system and is executed with flags that enable root-level permissions on the underlying host.

Similarities between old and past container samples
Similarities between outdated and previous container picture samples
Supply: TrendMicro

Lastly, the IP tackle that’s used for TeamTNT’s present infrastructure (45[.]9[.]148[.]182) has been related to a number of domains that served malware previously.

Earlier marketing campaign laid the groundwork

TrendMicro reviews that this marketing campaign additionally makes use of compromised Docker Hub accounts managed by TeamTNT to drop malicious Docker photos.

Utilizing compromised Docker Hub accounts makes the distribution factors extra dependable for the actors, as they’re tougher to map, report, and takedown.

The actors have been noticed accumulating Docker Hub credentials in a earlier marketing campaign analyzed by TrendMicro in July when credentials stealers have been deployed in assaults.

“Our  July 2021 research into TeamTNT confirmed that the group beforehand used credential stealers that may rake in credentials from configuration recordsdata. This may very well be how TeamTNT gained the data it used for the compromised websites on this assault,” explains TrendMicro’s research revealed immediately.

As such, TeamTNT demonstrates a excessive degree of operational planning, being organized and purposeful of their objectives.

Everlasting menace to Docker techniques

TeamTNT is a classy actor that continually evolves its methods, shifts short-term focusing on focus however stays a continuing menace to susceptible Docker techniques.

They first created a worm to exploit Docker and Kubernetes en masse again in August 2020.

In October 2020, the actors added Monero mining and credential-stealing capabilities, focusing on Docker situations.

In January 2021, TeamTNT upgraded its miners with sophisticated detection evasion tricks whereas nonetheless harvesting consumer credentials from the compromised servers.

Docker gives some “necessary” ideas that can be utilized lock down Docker’s REST API and stop some of these assaults.

“Subsequently it’s necessary to safe API endpoints with HTTPS and certificates. Additionally it is really useful to make sure that it’s reachable solely from a trusted community or VPN,” explains Docker’s security guide.

Leave a Reply