IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers abuse poorly secured Docker Hub accounts to mine cryptocurrency

TeamTNT behind new campaign to install crypto miners on containers

Bitcoin cryptocurrency mining

A cyber criminal gang has targeted poorly configured Docker containers to mine for cryptocurrency.

In October, security researchers at Trend Micro discovered hackers targeting poorly configured servers with exposed Docker REST APIs by spinning up containers from images that execute malicious scripts.

These scripts did three things. First, the downloaded or bundled Monero cryptocurrency coin miners. Second, they performed container-to-host escape using well-known techniques. Finally, they carried out internet-wide scans for exposed ports from compromised containers.

The campaign’s compromised containers also attempted to collect information, such as the server’s operating system, the container registry set for use, the server’s architecture, current swarm participation status, and the number of CPU cores. 

To gain more details about the misconfigured server, such as uptime and total memory available, threat actors also spin up containers using docker-CLI by setting the “--privileged” flag, using the network namespace of the underlying host “--net=host,” and mounting the underlying hosts’ root file system at container path “/host”.

The researchers found Docker Hub registry accounts that were either compromised or belong to TeamTNT. 

“These accounts were being used to host malicious images and were an active part of botnets and malware campaigns that abused the Docker REST API,” said researchers. They then contacted Docker to have the accounts removed.

Trend Micro researchers said the same hackers also used credential stealers that would collect credentials from configuration files back in July. Researchers believe this is how TeamTNT gained the information it used for the compromised sites in this attack.

“Based on the scripts being executed and the tooling being used to deliver coinminers, we arrive at the following conclusions connecting this attack to TeamTNT,” said researchers. “’alpineos’ (with a total of more than 150,000 pulls with all images combined) is one of the primary Docker Hub accounts being actively used by TeamTNT. There are compromised Docker Hub accounts that are being controlled by TeamTNT to spread coin mining malware.”

Researchers said that exposed Docker application programming interfaces (APIs) have become principal targets for attackers. These allow them to execute their malicious code with root privileges on a targeted host if security considerations are not accounted for. 

“This recent attack only highlights the increasing sophistication with which exposed servers are targeted, especially by capable threat actors like TeamTNT that use compromised user credentials to fulfill their malicious motives,” they added.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022