A cyber criminal gang has targeted poorly configured Docker containers to mine for cryptocurrency.
In October, security researchers at Trend Micro discovered hackers targeting poorly configured servers with exposed Docker REST APIs by spinning up containers from images that execute malicious scripts.
These scripts did three things. First, the downloaded or bundled Monero cryptocurrency coin miners. Second, they performed container-to-host escape using well-known techniques. Finally, they carried out internet-wide scans for exposed ports from compromised containers.
The campaign’s compromised containers also attempted to collect information, such as the server’s operating system, the container registry set for use, the server’s architecture, current swarm participation status, and the number of CPU cores.
To gain more details about the misconfigured server, such as uptime and total memory available, threat actors also spin up containers using docker-CLI by setting the “--privileged” flag, using the network namespace of the underlying host “--net=host,” and mounting the underlying hosts’ root file system at container path “/host”.
The researchers found Docker Hub registry accounts that were either compromised or belong to TeamTNT.
“These accounts were being used to host malicious images and were an active part of botnets and malware campaigns that abused the Docker REST API,” said researchers. They then contacted Docker to have the accounts removed.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Trend Micro researchers said the same hackers also used credential stealers that would collect credentials from configuration files back in July. Researchers believe this is how TeamTNT gained the information it used for the compromised sites in this attack.
“Based on the scripts being executed and the tooling being used to deliver coinminers, we arrive at the following conclusions connecting this attack to TeamTNT,” said researchers. “’alpineos’ (with a total of more than 150,000 pulls with all images combined) is one of the primary Docker Hub accounts being actively used by TeamTNT. There are compromised Docker Hub accounts that are being controlled by TeamTNT to spread coin mining malware.”
Researchers said that exposed Docker application programming interfaces (APIs) have become principal targets for attackers. These allow them to execute their malicious code with root privileges on a targeted host if security considerations are not accounted for.
“This recent attack only highlights the increasing sophistication with which exposed servers are targeted, especially by capable threat actors like TeamTNT that use compromised user credentials to fulfill their malicious motives,” they added.
ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.
For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.