Cyber security researchers have reported that the threat actor group TeamTNT has been activity targeting misconfigured servers with exposed Docker REST APIs. The group gained notoriety back in 2020 when they were utilizing various techniques to infect cloud environments, however, the threat group has upgraded its arsenal of attacks by spinning up containers from images that execute malicious scripts with three objectives:
1) Download Monero cryptocurrency coin miners
2) Perform container-to-host escapes to access the main network
3) Scan for other vulnerable internet-exposed containers
To achieve these objectives, attackers attempt to create a container on a vulnerable host using the Docker REST API. The vulnerable host will then request an attacker-specified image from Docker Hub. The malicious image is then installed and creates a container that executes cronjobs. Attackers then execute post-exploitation and lateral movement techniques with various tools like Zmap, container escape scripts, rootkits, credential stealers, and coin miners.
Indicators of Compromise
Shell script 79ed63686c8c46ea8219d67924aa858344d8b9ea191bf821d26b5ae653e555d9
Shell script 497c5535cdc283079363b43b4a380aefea9deb1d0b372472499fcdcc58c53fef
Shell script a68cbfa56e04eaf75c9c8177e81a68282b0729f7c0babc826db7b46176bdf222
IP address 45.9[.]148.18
Skilled attackers often develop and improve their techniques of attack, as seen with TeamTNT. Proper security measures should be enforced to avoid vulnerable Docker APIs. Exploitation of these security vulnerabilities can result in malicious code execution with root privileges on a targeted host.
Per the Docker security documents, it is mandatory to secure API endpoints with HTTPS and certificates. Access should only be granted by a trusted network or VPN.