Threat actors are continuing to exploit poorly configured Docker instances (opens in new tab) to conduct various malicious activities such as the installation of Monero cryptominers (opens in new tab), warn cybersecurity (opens in new tab) researchers.
The ongoing campaign that began last month is being conducted by the TeamTNT hacking group, and was discovered by security experts at TrendMicro (opens in new tab).
“Exposed Docker APIs have become prevalent targets for attackers as these allow them to execute their own malicious code with root privileges on a targeted host if security considerations are not accounted for,” note (opens in new tab) the researchers.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
>> Click here to start the survey in a new window (opens in new tab) <<
According to the researchers, the compromised container fetches various post-exploitation and lateral movement tools, including container escaping scripts, credential stealers, and cryptocurrency (opens in new tab) miners.
Building on previous campaign
According to TrendMicro, the same threat actor was observed collecting Docker Hub credentials in a previous campaign (opens in new tab) back in July.
TrendMicro fathoms that Docker Hub accounts compromised in the earlier campaign are being used in the ongoing campaign to drop malicious Docker images. In fact, TrendMicro reports that it has seen over 150,000 pulls of images from the malicious Docker Hub accounts.
Besides installing cryptominers, the threat actors scan for other vulnerable Internet-exposed Docker instances, and perform container-to-host escapes to access the main network that hosts the compromised Docker instances.
TrendMicro also notes that while scanning for other vulnerable instances, the threat actors check ports that have been observed in past distributed denial-of-service (DDoS (opens in new tab)) botnet campaigns as well.
“This recent attack only highlights the increasing sophistication with which exposed servers are targeted, especially by capable threat actors like TeamTNT that use compromised user credentials to fulfill their malicious motives,” conclude the researchers, noting that they have already reached out to Docker, and the accounts involved in this attack have been removed.
Protect your servers using one of these best firewall (opens in new tab) apps and services, and ensure your computers are running these best endpoint protection tools (opens in new tab) to ward off all kinds of attacks.