In a campaign that began last month, the TeamTNT hacker organization actively targeted misconfigured Docker servers.
According to TrendMicro researchers, the hackers have three unique aims: install Monero cryptominers, scout for more vulnerable Internet-exposed Docker instances, and execute container-to-host escapes to access the primary network.
The attack begins by exploiting an accessible Docker REST API to create a container on the susceptible host, as shown in an attack process.
TeamTNT then leverages Docker Hub accounts that have been hacked or are controlled by an attacker to host malicious images and install them on a targeted server. As part of this effort, TrendMicro has witnessed over 150,000 image grabs from rogue Docker Hub accounts.
Following that, the dumped container runs cronjobs and downloads a variety of post-exploitation and lateral movement tools, such as container escape scripts, credential stealers, and cryptocurrency miners.
The threat actors look for further susceptible instances on ports 2375, 2376, 2377, 4243, and 4244, as seen in previous DDoS botnet efforts. They also gather information about the server, such as the operating system, architecture, container registry, number of CPU cores, and current swarm participation status.
The produced container image is based on the AlpineOS operating system and is run with flags that grant root-level rights to the underlying host.
Finally, the IP address employed by TeamTNT’s current infrastructure (45.]9[.]148[.]182) has already been linked to various malware-serving websites.
According to TrendMicro, this effort also exploits hacked Docker Hub accounts owned by TeamTNT to release negative Docker images. Because compromised Docker Hub accounts are more difficult to map, report, and shut down, the distribution points become more dependable for the actors.
In a previous campaign assessed by TrendMicro in July, when credential stealers were used in assaults, the attackers were seen gathering Docker Hub credentials.
Our investigation into TeamTNT in July 2021 revealed that the gang had previously employed credential stealers to harvest credentials from configuration files. This might be how TeamTNT obtained the information is used for the compromised sites in this operation, as per TrendMicro’s analysis. As a result, TeamTNT exemplifies a high degree of operational planning, being well-organized and focused on its objectives.
TeamTNT is a clever actor that modifies its approaches regularly, adjusts its short-term targeting emphasis, and maintains a continual danger to vulnerable Docker systems.
Docker gives several “essential” suggestions for securing Docker’s REST API and preventing attacks like these.
As a result, HTTPS and certificates are required to protect API endpoints. According to Docker’s security advice, it’s also a good idea to make sure it’s only accessible over a trusted network or VPN.