TeamTNT group targets poorly configured Docker servers exposing REST APIs

Pierluigi Paganini November 10, 2021

TeamTNT hackers are targeting poorly configured Docker servers as part of an ongoing campaign that started in October.

Trend Micro researchers reported that TeamTNT hackers are targeting poorly configured Docker servers exposing Docker REST APIs as part of an ongoing campaign that started in October.

Threat actors execute malicious scripts to deploy Monero cryptocurrency miners, perform container-to-host escape using well-known techniques, and scan the Internet for exposed ports from other compromised containers.

TeamTNT dockers

The attack chain starts with the creation of a container on a vulnerable host using an exposed Docker REST API. Then a malicious image is downloaded from Docker Hub accounts under the control of the threat actors.

The analysis of the scripts executed in the attacks and the tools used to deliver the miners allowed the researchers to link the campaign to TeamTNT. Trend Micro discovered one of the primary Docker Hub accounts (“alpineos”) actively used by TeamTNT and having a total of more than 150,000 pulls of malicious images.

“This container is created from an official image of the “alpine” operating system and executed with flags that allow root-level permissions on the underlying host, except for the fact that a base64-encoded string is piped to “bash” after being decoded.” reads the analysis published by Trend Micro.

Once the container has been created, it executes cronjobs and fetches various post-exploitation tools and lateral movement tools, container escaping scripts, rootkits, credential stealers, and miners.

Threat actors also scan the web for ports 2375, 2376, 2377, 4243, 4244, and attempt to gather server info such as the OS type, container registry, architecture, number of CPU cores, and the current swarm participation status.

Experts noticed that the IP address 45[.]9[.]148[.]182 used in this campaign was previously associated with the operations of the TeamTNT group.

“Our  July 2021 research into TeamTNT showed that the group previously used credential stealers that would rake in credentials from configuration files. This could be how TeamTNT gained the information it used for the compromised sites in this attack.” continues the analysis.

The TeamTNT botnet is a crypto-mining malware operation that has been active since April 2020 and that targets Docker installs. The activity of the TeamTNT group has been detailed by security firm Trend Micro, but in August 2020 experts from Cado Security discovered that that botnet is also able to target misconfigured Kubernetes installations.

In January 2021, the cybercrime gang launched a new campaign targeting Kubernetes environments with the Hildegard malware.

The Chimaera campaign is targeting multiple operating systems ( Windows, different Linux distributions including Alpine (used for containers), AWS, Docker, and Kubernetes) and applications, threat actors used a wide set of shell/batch scripts, new open-source tools, a cryptocurrency miner, the TeamTNT IRC bot, and more.

The campaign was very insidious and as of August 30, 2021, many malware samples used by the attacker still have zero detection rate from AV software. The campaign is responsible for thousands of infections globally in only a couple of months.

TeamTNT continuously improves its techniques to target vulnerable Docker installs.

“This recent attack only highlights the increasing sophistication with which exposed servers are targeted, especially by capable threat actors like TeamTNT that use compromised user credentials to fulfill their malicious motives.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Dockers)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment