New Hacking Campaign by TeamTNT Targets Exposed Docker Daemons
A recent report by cybersecurity researchers at Aqua Nautilus has unveiled a sophisticated campaign orchestrated by TeamTNT, a hacking group with a notorious reputation for its relentless attacks on cloud-native environments. This campaign exploits exposed Docker daemons, allowing TeamTNT to deploy malware, including the Sliver worm and cryptominers, using compromised servers as well as Docker Hub to amplify their operations.
TeamTNT’s strategic approach involves taking advantage of vulnerabilities in Docker daemon services, particularly those running on specific ports. Their latest offensive includes the compromise of a legitimate Docker Hub account, which they have leveraged to distribute malware through approximately 30 malicious images. These images are categorized into two groups: infrastructure-focused ones designed to propagate malware and impact-driven images that aim to mine cryptocurrency or offer rental computing power.
To execute their attacks, TeamTNT utilizes a tool termed Docker Gatling Gun. This tool can scan a vast range of IP addresses—over 16 million—for weaknesses in Docker daemons. Upon identifying a vulnerability, it deploys a minimal Alpine Linux container from the compromised Docker Hub account imbued with a harmful script named “TDGGinit.sh.” This script not only facilitates the initial breach but also prepares the environment for further malicious activities that may follow.
The group employs advanced stealth tactics, notably using the Sliver malware, which is a step up in sophistication from their formerly used Tsunami tool. By masquerading under familiar process names such as ‘Chimaera’ and ‘Bioset,’ TeamTNT can avoid detection. They also execute local searches for sensitive keys and credentials, enabling them to deepen their foothold on the compromised systems and further propagate their malware.
TeamTNT’s command and control operations are backed by various communication protocols, including DNS and mTLS, and they are adept at utilizing web servers and Docker Hub for coordination purposes. Their ultimate objectives seem to circle around resource hijacking for cryptocurrency mining, specifically targeting Monero, and selling access to compromised systems for illicit gains.
In light of TeamTNT’s evolving tactics, businesses are urged to bolster their cybersecurity practices. The use of MITRE ATT&CK Matrix can be instrumental in understanding the sophisticated adversary tactics employed in this incident, notably initial access, persistence, privilege escalation, and defense evasion. Organizations should emphasize routine software updates, adhere to robust network security measures, and maintain vigilance against potential threats.
The implications of this latest campaign highlight the pressing need for organizations to remain proactive in their cybersecurity strategies. As cybercriminal groups like TeamTNT continue to adapt and refine their techniques, a comprehensive understanding of emerging threats and the risks they pose becomes increasingly critical for safeguarding sensitive information and maintaining operational integrity.
