Hackers abuse poorly secured Docker Hub accounts to mine cryptocurrency

TeamTNT behind new campaign to install crypto miners on containers

Bitcoin cryptocurrency mining

A cyber criminal gang has targeted poorly configured Docker containers to mine for cryptocurrency.

In October, security researchers at Trend Micro discovered hackers targeting poorly configured servers with exposed Docker REST APIs by spinning up containers from images that execute malicious scripts.

These scripts did three things. First, the downloaded or bundled Monero cryptocurrency coin miners. Second, they performed container-to-host escape using well-known techniques. Finally, they carried out internet-wide scans for exposed ports from compromised containers.

The campaign’s compromised containers also attempted to collect information, such as the server’s operating system, the container registry set for use, the server’s architecture, current swarm participation status, and the number of CPU cores. 

To gain more details about the misconfigured server, such as uptime and total memory available, threat actors also spin up containers using docker-CLI by setting the “--privileged” flag, using the network namespace of the underlying host “--net=host,” and mounting the underlying hosts’ root file system at container path “/host”.

The researchers found Docker Hub registry accounts that were either compromised or belong to TeamTNT. 

“These accounts were being used to host malicious images and were an active part of botnets and malware campaigns that abused the Docker REST API,” said researchers. They then contacted Docker to have the accounts removed.

Trend Micro researchers said the same hackers also used credential stealers that would collect credentials from configuration files back in July. Researchers believe this is how TeamTNT gained the information it used for the compromised sites in this attack.

“Based on the scripts being executed and the tooling being used to deliver coinminers, we arrive at the following conclusions connecting this attack to TeamTNT,” said researchers. “’alpineos’ (with a total of more than 150,000 pulls with all images combined) is one of the primary Docker Hub accounts being actively used by TeamTNT. There are compromised Docker Hub accounts that are being controlled by TeamTNT to spread coin mining malware.”

Researchers said that exposed Docker application programming interfaces (APIs) have become principal targets for attackers. These allow them to execute their malicious code with root privileges on a targeted host if security considerations are not accounted for. 

“This recent attack only highlights the increasing sophistication with which exposed servers are targeted, especially by capable threat actors like TeamTNT that use compromised user credentials to fulfill their malicious motives,” they added.

Featured Resources

Seven steps to connect and empower your frontline workers

How business leaders can improve communication with a secure platform

Free download

Create what’s next

The future of collaboration and productivity

Free Download

Leveraging the cloud without relinquishing control

Your data. Their cloud.

Free download

Re-architecting for nonstop innovation

Unlocking productivity, scalability, and lower costs for cloud natives

Free Download

Recommended

SMBs urged to update software ahead of Black Friday
e commerce

SMBs urged to update software ahead of Black Friday

25 Nov 2021
US adds dozen Chinese tech companies to trade blacklist
Policy & legislation

US adds dozen Chinese tech companies to trade blacklist

25 Nov 2021
Fifth of UK security pros discriminated against in 2021
Careers & training

Fifth of UK security pros discriminated against in 2021

23 Nov 2021
Wind turbine maker Vestas hit by cyber attack
cyber attacks

Wind turbine maker Vestas hit by cyber attack

22 Nov 2021

Most Popular

How to speed up Microsoft's Windows 11
Microsoft Windows

How to speed up Microsoft's Windows 11

9 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

12 Nov 2021