Hackers abuse poorly secured Docker Hub accounts to mine cryptocurrency

TeamTNT behind new campaign to install crypto miners on containers

Bitcoin cryptocurrency mining

A cyber criminal gang has targeted poorly configured Docker containers to mine for cryptocurrency.

In October, security researchers at Trend Micro discovered hackers targeting poorly configured servers with exposed Docker REST APIs by spinning up containers from images that execute malicious scripts.

These scripts did three things. First, the downloaded or bundled Monero cryptocurrency coin miners. Second, they performed container-to-host escape using well-known techniques. Finally, they carried out internet-wide scans for exposed ports from compromised containers.

The campaign’s compromised containers also attempted to collect information, such as the server’s operating system, the container registry set for use, the server’s architecture, current swarm participation status, and the number of CPU cores. 

To gain more details about the misconfigured server, such as uptime and total memory available, threat actors also spin up containers using docker-CLI by setting the “--privileged” flag, using the network namespace of the underlying host “--net=host,” and mounting the underlying hosts’ root file system at container path “/host”.

The researchers found Docker Hub registry accounts that were either compromised or belong to TeamTNT. 

“These accounts were being used to host malicious images and were an active part of botnets and malware campaigns that abused the Docker REST API,” said researchers. They then contacted Docker to have the accounts removed.

Trend Micro researchers said the same hackers also used credential stealers that would collect credentials from configuration files back in July. Researchers believe this is how TeamTNT gained the information it used for the compromised sites in this attack.

“Based on the scripts being executed and the tooling being used to deliver coinminers, we arrive at the following conclusions connecting this attack to TeamTNT,” said researchers. “’alpineos’ (with a total of more than 150,000 pulls with all images combined) is one of the primary Docker Hub accounts being actively used by TeamTNT. There are compromised Docker Hub accounts that are being controlled by TeamTNT to spread coin mining malware.”

Researchers said that exposed Docker application programming interfaces (APIs) have become principal targets for attackers. These allow them to execute their malicious code with root privileges on a targeted host if security considerations are not accounted for. 

“This recent attack only highlights the increasing sophistication with which exposed servers are targeted, especially by capable threat actors like TeamTNT that use compromised user credentials to fulfill their malicious motives,” they added.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

How the right software can improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021
Five things to consider before choosing an MFA solution
Security

Five things to consider before choosing an MFA solution

17 Dec 2021
Australia and US sign CLOUD Act data-sharing deal to support criminal investigations
cyber crime

Australia and US sign CLOUD Act data-sharing deal to support criminal investigations

16 Dec 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022