Home Monero TeamTNT hackers target your poorly configured Docker servers

TeamTNT hackers target your poorly configured Docker servers

6 min read
Comments Off on TeamTNT hackers target your poorly configured Docker servers


Poorly configured Docker servers and being actively focused by the TeamTNT hacking group in an ongoing marketing campaign began final month.

Based on a report by researchers at TrendMicro, the actors have three distinct objectives: to put in Monero cryptominers, scan for different weak Web-exposed Docker cases, and carry out container-to-host escapes to entry the principle community.

As illustrated in an assault workflow, the assault begins with making a container on the weak host utilizing an uncovered Docker REST API.

TeamTNT Docker abuse workflow
TeamTNT Docker abuse workflow
Supply: TrendMicro

TeamTNT then makes use of compromised, or actor-controlled Docker Hub accounts to host malicious photos and deploy them on a focused host.

TrendMicro has seen over 150,000 pulls of photos from the malicious Docker Hub accounts as a part of this marketing campaign.

Subsequent, the dropped container executes cronjobs and fetches numerous post-exploitation and lateral motion instruments, together with container escaping scripts, credential stealers, and cryptocurrency miners.

When scanning for different weak cases, the risk actors test ports 2375, 2376, 2377, 4243, 4244, which has been noticed in previous DDoS botnet campaigns.

The actors additionally try to gather server data such because the OS kind, structure, variety of CPU cores, container registry, and the present swarm participation standing.

The container picture that’s created is predicated on the AlpineOS system and is executed with flags that enable root-level permissions on the underlying host.

Similarities between old and past container samples
Similarities between outdated and previous container picture samples
Supply: TrendMicro

Lastly, the IP handle that’s used for TeamTNT’s present infrastructure (45[.]9[.]148[.]182) has been related to a number of domains that served malware prior to now.

Earlier marketing campaign laid the groundwork

TrendMicro experiences that this marketing campaign additionally makes use of compromised Docker Hub accounts managed by TeamTNT to drop malicious Docker photos.

Utilizing compromised Docker Hub accounts makes the distribution factors extra dependable for the actors, as they’re more durable to map, report, and takedown.

The actors have been noticed gathering Docker Hub credentials in a earlier marketing campaign analyzed by TrendMicro in July when credentials stealers have been deployed in assaults.

“Our  July 2021 research into TeamTNT confirmed that the group beforehand used credential stealers that may rake in credentials from configuration information. This may very well be how TeamTNT gained the knowledge it used for the compromised websites on this assault,” explains TrendMicro’s research revealed right now.

As such, TeamTNT demonstrates a excessive stage of operational planning, being organized and purposeful of their objectives.

Everlasting risk to Docker methods

TeamTNT is a complicated actor that continuously evolves its methods, shifts short-term concentrating on focus however stays a continuing risk to weak Docker methods.

They first created a worm to exploit Docker and Kubernetes en masse again in August 2020.

In October 2020, the actors added Monero mining and credential-stealing capabilities, concentrating on Docker cases.

In January 2021, TeamTNT upgraded its miners with sophisticated detection evasion tricks whereas nonetheless harvesting person credentials from the compromised servers.

Docker offers some “necessary” ideas that can be utilized lock down Docker’s REST API and forestall some of these assaults.

“Due to this fact it’s necessary to safe API endpoints with HTTPS and certificates. It is usually really useful to make sure that it’s reachable solely from a trusted community or VPN,” explains Docker’s security guide.

Source link

Comments are closed.

Check Also

Regulatory fears put a damper on Ethereum traders’ $5,000 target – Cointelegraph

This week, ETH worth got here inside 2% of a brand new all-time excessive earlier than U.S…