Hackers abuse poorly secured Docker Hub accounts to mine cryptocurrency
TeamTNT behind new campaign to install crypto miners on containers
In October, security researchers at Trend Micro discovered hackers targeting poorly configured servers with exposed Docker REST APIs by spinning up containers from images that execute malicious scripts.
These scripts did three things. First, the downloaded or bundled Monero cryptocurrency coin miners. Second, they performed container-to-host escape using well-known techniques. Finally, they carried out internet-wide scans for exposed ports from compromised containers.
The campaign’s compromised containers also attempted to collect information, such as the server’s operating system, the container registry set for use, the server’s architecture, current swarm participation status, and the number of CPU cores.
To gain more details about the misconfigured server, such as uptime and total memory available, threat actors also spin up containers using docker-CLI by setting the “--privileged” flag, using the network namespace of the underlying host “--net=host,” and mounting the underlying hosts’ root file system at container path “/host”.
The researchers found Docker Hub registry accounts that were either compromised or belong to TeamTNT.
“These accounts were being used to host malicious images and were an active part of botnets and malware campaigns that abused the Docker REST API,” said researchers. They then contacted Docker to have the accounts removed.
Trend Micro researchers said the same hackers also used credential stealers that would collect credentials from configuration files back in July. Researchers believe this is how TeamTNT gained the information it used for the compromised sites in this attack.
“Based on the scripts being executed and the tooling being used to deliver coinminers, we arrive at the following conclusions connecting this attack to TeamTNT,” said researchers. “’alpineos’ (with a total of more than 150,000 pulls with all images combined) is one of the primary Docker Hub accounts being actively used by TeamTNT. There are compromised Docker Hub accounts that are being controlled by TeamTNT to spread coin mining malware.”
Researchers said that exposed Docker application programming interfaces (APIs) have become principal targets for attackers. These allow them to execute their malicious code with root privileges on a targeted host if security considerations are not accounted for.
“This recent attack only highlights the increasing sophistication with which exposed servers are targeted, especially by capable threat actors like TeamTNT that use compromised user credentials to fulfill their malicious motives,” they added.
Activation playbook: Deliver data that powers impactful, game-changing campaigns
Bringing together data and technology to drive better business outcomesFree Download
In unpredictable times, a data strategy is key
Data processes are crucial to guide decisions and drive business growthFree Download
Achieving resiliency with Everything-as-a-Service (XAAS)
Transforming the enterprise IT landscapeFree Download
What is contextual analytics?
Creating more customer value in HR software applicationsFree Download