A recent report from TrendMicro indicates that cybercriminals are increasingly targeting weakly configured Docker systems exposed on the internet. Researchers spotted an ongoing campaign by TeamTNT abusing Docker REST APIs.
About the latest campaign
The campaign started in October and researchers identified several factors indicating a connection of this campaign with the TeamTNT group.
- TeamTNT was found using compromised Docker Hub accounts such as alpineos, with a total of more than 150,000 pulls with all images combined or actor-controlled Docker Hub accounts to host malicious images.
- These images are used to spin up containers that execute malicious scripts.
Malicious script actions
- Download and install Monero crypto miners and credential stealers and fetch various post-exploitation and lateral movement tools.
- The scripts scan for vulnerable internet-exposed Docker instances by checking ports 2375, 2376, 2377, 4243, and 4244, which were observed in earlier DDoS botnet campaigns.
- In addition, these scripts perform container-to-host escapes. The actors attempt to collect server info such as the OSType, container registry, architecture, the current swarm participation status, and the number of CPU cores.
Connection with previous campaigns
The use of TeamTNT-controlled compromised Docker Hub accounts points to a previous campaign analyzed by TrendMicro in July.
- In that campaign, TeamTNT had deployed credential stealers to gain Docker Hub credentials.
- It has possibly used these compromised Docker Hub accounts to drop malicious Docker images in the current campaign.
- In the earlier campaigns, TeamTNT had targeted multiple cloud-native applications and Kubernetes clusters.
The bottom line
TeamTNT is increasingly making efforts to target and abuse Docker containers, and targeting weak configurations and deploying malicious images is yet another tactic used by them. With a high level of operational planning and organized and purposeful targeting, the threat actor can be expected to launch a larger-scale attack campaign in the near future.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/f65d_shutterstock_1607572558.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_255436279.jpg)
