Cybersecurity firms look to use honeypots to get a view of malicious activity in the cyberspace, such as actively exploited vulnerabilities, the latest tactics and techniques employed by adversaries, and any misconfigurations on platforms. In addition to capturing the TTPs, these honeypots can prove to be a boon by letting investigators make a stealth entry into the infrastructure operated by threat actors. 

In one such setup, researchers from Trend Micro discovered that two Docker Hub accounts controlled by the TeamTNT threat group were leaking credentials.

What did the researchers discover?

  • Trend Micro’s honeypots found two Docker Hub accounts belonging to TeamTNT, named alpineos and sandeep078, leaking credentials via exposed Docker REST APIs.
  • These Docker Hub profiles were actively used to deploy malicious images containing rootkits, docker escape kits, XMRig Monero miners, credential stealers, Kinsing malware, and Kubernetes exploit kits.
  • Of the two Docker Hub accounts, alpineos hosted container images with over 150,000 pulls and was used in multiple exploitation attempts. A majority of IP addresses used in the attacks were located in Germany.

Where did the attackers go wrong?

The researchers explained that threat actors were logged in to their accounts in the DockerHub registry and probably forgot to log out. The attackers had logged into their Docker Hub account using the credentials of alpineos.

Worth noting

As organizations are transitioning to the cloud, securing misconfigured container infrastructure and cloud services against cyber threats has become more imperative than ever. Attackers have been found abusing these infrastructures to conduct software supply chain and cryptojacking attacks. In one such incident, WatchDog, a rival hacking group of TeamTNT, was spotted targeting misconfigured Docker Engine API endpoints and Redis servers to deploy XMRig malware.


Organizations are urged to take required security measures to secure Docker containers. These include creating policies for access and credential uses, as well as educating developers about the threat models in these environments.
Cyware Publisher