Recently, a cybersecurity firm reported that a malicious threat group called TeamTNT prioritises targeting poorly configured Docker systems existing on the internet. The researchers also observed that a current campaign by TeamTNT is still ongoing against the Docker REST APIs.
Docker is an open-source containerisation platform that enables developers to package applications into containers. It is also used to standardise executable components by combining application source code with the operating system libraries and dependencies needed to operate and run the code in any environment.
TeamTNT used compromised Docker accounts.
Researchers identified that the campaign initially started last month, and multiple factors were seen that made them believe that the campaign involves the TeamTNT threat group. TeamTNT was discovered using poorly configured Docker Hub accounts, with about 150,000 pulls with all photos combined. Threat actors also controlled Docker Hub accounts to hold malicious images. These images are files used to deploy containers that execute malware-injected scripts.
The researchers also found out that when these malicious scripts are executed, it performs several activities. These scripts can download and install Monero crypto miners that are credential stealers used to fetch various post-exploitation and lateral movement tools. Then, the scripts scan vulnerable Docker systems exposed on the internet by checking ports 4244, 4243, 2377, 2376, and 2375.
Also, these malicious scripts run container-to-host escaped. The malicious threat operators gather server info such as the container, registry, architecture, current swarm participation status, CPU cores, and OSType.
TeamTNT’s current campaign is connected to their previous attack.
Last July, TeamTNT was discovered by a cybersecurity group stealing Docker Hub Credentials on a separate attack.
The stolen Docker credentials were likely compromised and used to drop malicious Docker images in this current campaign.
In conclusion, TeamTNT is making moves and efforts to attack and abuse Docker containers. They also prioritise attacking poorly configured Docker systems and deploy malicious images as part of their attacking tactic. Researchers released an advisory that TeamTNT can launch a larger-scale attack if given the opportunity and proper operational planning, leading to the Docker hub.
