Cyber Crime

TeamTNT group targets poorly configured Docker servers exposing REST APIs

TeamTNT hackers are targeting poorly configured Docker servers as part of an ongoing campaign that started in October.

Trend Micro researchers reported that TeamTNT hackers are targeting poorly configured Docker servers exposing Docker REST APIs as part of an ongoing campaign that started in October.

Threat actors execute malicious scripts to deploy Monero cryptocurrency miners, perform container-to-host escape using well-known techniques, and scan the Internet for exposed ports from other compromised containers.

The attack chain starts with the creation of a container on a vulnerable host using an exposed Docker REST API. Then a malicious image is downloaded from Docker Hub accounts under the control of the threat actors.

The analysis of the scripts executed in the attacks and the tools used to deliver the miners allowed the researchers to link the campaign to TeamTNT. Trend Micro discovered one of the primary Docker Hub accounts (“alpineos”) actively used by TeamTNT and having a total of more than 150,000 pulls of malicious images.

“This container is created from an official image of the “alpine” operating system and executed with flags that allow root-level permissions on the underlying host, except for the fact that a base64-encoded string is piped to “bash” after being decoded.” reads the analysis published by Trend Micro.

Once the container has been created, it executes cronjobs and fetches various post-exploitation tools and lateral movement tools, container escaping scripts, rootkits, credential stealers, and miners.

Threat actors also scan the web for ports 2375, 2376, 2377, 4243, 4244, and attempt to gather server info such as the OS type, container registry, architecture, number of CPU cores, and the current swarm participation status.

Experts noticed that the IP address 45[.]9[.]148[.]182 used in this campaign was previously associated with the operations of the TeamTNT group.

“Our  July 2021 research into TeamTNT showed that the group previously used credential stealers that would rake in credentials from configuration files. This could be how TeamTNT gained the information it used for the compromised sites in this attack.” continues the analysis.

The TeamTNT botnet is a crypto-mining malware operation that has been active since April 2020 and that targets Docker installs. The activity of the TeamTNT group has been detailed by security firm Trend Micro, but in August 2020 experts from Cado Security discovered that that botnet is also able to target misconfigured Kubernetes installations.

In January 2021, the cybercrime gang launched a new campaign targeting Kubernetes environments with the Hildegard malware.

The Chimaera campaign is targeting multiple operating systems ( Windows, different Linux distributions including Alpine (used for containers), AWS, Docker, and Kubernetes) and applications, threat actors used a wide set of shell/batch scripts, new open-source tools, a cryptocurrency miner, the TeamTNT IRC bot, and more.

The campaign was very insidious and as of August 30, 2021, many malware samples used by the attacker still have zero detection rate from AV software. The campaign is responsible for thousands of infections globally in only a couple of months.

TeamTNT continuously improves its techniques to target vulnerable Docker installs.

“This recent attack only highlights the increasing sophistication with which exposed servers are targeted, especially by capable threat actors like TeamTNT that use compromised user credentials to fulfill their malicious motives.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Dockers)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 46

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

11 hours ago

Security Affairs newsletter Round 525 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly Securitythe weekly Security Affairs newsletterAffairs newsletter arrived! Every week…

12 hours ago

Operation ENDGAME disrupted global ransomware infrastructure

Operation ENDGAME dismantled key ransomware infrastructure, taking down 300 servers, 650 domains, and seizing €21.2M…

15 hours ago

Silent Ransom Group targeting law firms, the FBI warns

FBI warns Silent Ransom Group has targeted U.S. law firms for 2 years using callback…

1 day ago

Leader of Qakbot cybercrime network indicted in U.S. crackdown

The U.S. indicted Russian Rustam Gallyamov for leading the Qakbot botnet, which infected 700K+ devices…

2 days ago

Operation RapTor led to the arrest of 270 dark web vendors and buyers

Law enforcement operation codenamed 'Operation RapTor' led to the arrest of 270 dark web vendors…

3 days ago