New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Threat Group Targets Misconfigured Docker Servers

Cyber security researchers have reported that the threat actor group TeamTNT has been activity targeting misconfigured servers with exposed Docker REST APIs. The group gained notoriety back in 2020 when they were utilizing various techniques to infect cloud environments, however, the threat group has upgraded its arsenal of attacks by spinning up containers from images that execute malicious scripts with three objectives:

1) Download Monero cryptocurrency coin miners

2) Perform container-to-host escapes to access the main network

3) Scan for other vulnerable internet-exposed containers

To achieve these objectives, attackers attempt to create a container on a vulnerable host using the Docker REST API. The vulnerable host will then request an attacker-specified image from Docker Hub. The malicious image is then installed and creates a container that executes cronjobs. Attackers then execute post-exploitation and lateral movement techniques with various tools like Zmap, container escape scripts, rootkits, credential stealers, and coin miners.

Indicators of Compromise

Type                Identifier/Hash

Shell script      79ed63686c8c46ea8219d67924aa858344d8b9ea191bf821d26b5ae653e555d9

Shell script      497c5535cdc283079363b43b4a380aefea9deb1d0b372472499fcdcc58c53fef

Shell script      a68cbfa56e04eaf75c9c8177e81a68282b0729f7c0babc826db7b46176bdf222

Domain           teamtnt[.]red

IP address       45.9[.]148.18

Analyst Notes

Skilled attackers often develop and improve their techniques of attack, as seen with TeamTNT. Proper security measures should be enforced to avoid vulnerable Docker APIs. Exploitation of these security vulnerabilities can result in malicious code execution with root privileges on a targeted host.

Per the Docker security documents, it is mandatory to secure API endpoints with HTTPS and certificates. Access should only be granted by a trusted network or VPN.