TeamTNT Hits 150K Docker Containers via Malicious Cloud Images

Honeypot activity exposed two credentials that the threat actor is using to host and distribute malicious container images, security vendor says.

Jai Vijayan, Dark Reading

September 14, 2022

2 Min Read
TeamTNT Hits 150K Docker Containers via Malicious Cloud Images
Alamy

An apparent operational security slip-up by a member of the TeamTNT threat group has exposed some of the tactics it's using to exploit poorly configured Docker servers.

Security researchers from Trend Micro recently set up a honeypot with an exposed Docker REST API to try and understand how threat actors in general are exploiting vulnerabilities and misconfigurations in the widely used cloud container platform. They discovered TeamTNT — a group known for its cloud-specific campaigns — making at least three attempts to exploit its Docker honeypot.

"On one of our honeypots, we had intentionally exposed a server with the Docker Daemon exposed over REST API," says Nitesh Surana, threat research engineer at Trend Micro. "The threat actors found the misconfiguration and exploited it thrice from IPs based in Germany, where they were logged in to their DockerHub registry," Surana says. "Based on our observation, the motivation of the attacker was to exploit the Docker REST API and compromise the underlying server to perform cryptojacking."

The security vendor's analysis of the activity eventually led to uncovering credentials for at least two DockerHub accounts that TeamTNT controlled (the group was abusing DockerHub free Container Registry services) and was using to distribute a variety of malicious payloads, including coin miners.

Related:7 Myths About Container Technology Debunked

One of the accounts (with the name "alpineos") hosted a malicious container image containing rootkits, kits for Docker container escape, the XMRig Monero coin miner, credential stealers, and Kubernetes exploit kits. 

Trend Micro discovered the malicious image had been downloaded more than 150,000 times, which could translate into a wide swath of infections.

The other account (sandeep078) hosted a similar malicious container image but had far fewer "pulls" — just about 200 — compared with the former. Trend Micro pointed to three scenarios that likely resulted in the leak of the TeamTNT Docker registry account credentials. These include a failure to logout from the DockerHub account or their machines being self-infected.

Continue Reading This Article on Dark Reading

Read more about:

Dark Reading

About the Author(s)

Jai Vijayan

Jai Vijayan

Contributing writer, Dark Reading

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a senior editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics including big data, Hadoop, Internet of Things, e-voting and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a master's degree in statistics and lives in Naperville, Illinois.

See more from Jai Vijayan
Dark Reading

Dark Reading

Long one of the most widely read cyber security news sites on the Web, Dark Reading, a sister site to ITPro Today, is now the most trusted online community for security professionals like you. Dark Reading's community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.

See more from Dark Reading
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

person holding a smartphone that shows a document icon and a checkmark
Regulatory Compliance
Master IT Compliance: Key Standards and Risks ExplainedMaster IT Compliance: Key Standards & Risks Explained
byBrien Posey
Jul 19, 2024
5 Min Read
Laws and regulations with padlock on cloud icons on laptop computer screen
Cloud Computing
What Is a Sovereign Cloud and Who Truly Benefits From It?What Is a Sovereign Cloud and Who Truly Benefits From It?
byChristopher Tozzi
Jul 18, 2024
6 Min Read
robot and human fingers touching
Career Management
Employees Beginning to See Benefits of AI Autonomy in the WorkplaceEmployees Beginning to See Benefits of AI Autonomy in the Workplace
byNathan Eddy
Jul 3, 2024
4 Min Read
Exclusive ITPro Resources
See all ITPro Resources

Featured How Tos

hand touches red cube via HoloLens view alongside diagram showing the app deployment workflow
Digital Transformation
How To Deploy Your App on Microsoft HoloLens 2How To Deploy Your App on Microsoft HoloLens 2
ITPro Today Data Privacy Quick Reference Guide cover image
Data Privacy
Data Privacy Quick Reference GuideData Privacy Quick Reference Guide
screenshot of unity software and a text object with the words Hello World
Digital Transformation
How To Build Apps for HoloLens 2 DevicesHow To Build Apps for Hololens 2 Devices
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up
Trending

Recent What Is

person holding a smartphone that shows a document icon and a checkmark
Regulatory Compliance
Master IT Compliance: Key Standards and Risks ExplainedMaster IT Compliance: Key Standards & Risks Explained
Laws and regulations with padlock on cloud icons on laptop computer screen
Cloud Computing
What Is a Sovereign Cloud and Who Truly Benefits From It?What Is a Sovereign Cloud and Who Truly Benefits From It?