Threat actors continue to exploit misconfigured Docker instances to carry out various malicious activities, such as installing Monero cryptominers, cybersecurity researchers warn. The ongoing campaign that started last month is run by hacking group TeamTNT and was discovered by security experts from TrendMicro. “Exposed Docker APIs have become common targets for attackers because they allow them to run their own malicious code with root privileges on a specific host if security considerations are not taken into account,” the researchers note. According to the researchers, the compromised container retrieves various post-mining and lateral movement tools, including container escape scripts, credential stealers, and cryptocurrency miners.
Build on the previous campaign
According to TrendMicro, the same threat actor was observed collecting Docker Hub credentials during a previous campaign in July. TrendMicro understands that the Docker Hub accounts compromised in the previous campaign are being used in the current campaign to remove malicious Docker images. In fact, TrendMicro reports that it has seen more than 150.000 image fetches from malicious Docker Hub accounts. In addition to installing cryptominers, malicious actors search for other vulnerable Docker instances exposed to the Internet and perform container-host escapes to gain access to the main network hosting the compromised Docker instances. TrendMicro also notes that when looking for other vulnerable instances, threat actors also check ports that have been observed in previous distributed denial-of-service (DDoS) botnet campaigns. "This recent attack only underscores the increasing sophistication with which exposed servers are attacked, particularly by capable threat actors such as TeamTNT who use compromised user credentials to respond to their malicious motives," the researchers conclude, noting that attacks have already been made. contacted Docker, and the accounts involved in this attack have been removed. Protect your servers with the help of one of these best firewall apps and services, and make sure your computers are running these best endpoint protection tools to defend against all types of attacks.