A new malicious campaign emerged last month having its focus on Docker servers that are not properly configured, being thus exposed to threats. Reportedly linked to TeamTNT, the cyberattacks are designed for crypto mining purposes.
Docker Servers Being Abused: Details
A recent report from the TrendMicro researchers describes how such a cyberattack works:
In the beginning, by means of an accessible Docker REST API a container will be created on the susceptible host; For the hosting of compromised images, threat actors use compromised Docker Hub accounts or that are controlled by them. These images will be later deployed on the host. As the researchers mention, there were noticed more than 150,000 image pulls. Cronjobs are further on executed via the dropped container. The same container also retrieves different malicious tools for lateral movement and post-exploitation purposes. Among the mentioned tools, some that perform credentials theft, cryptocurrency miners, and container escaping scripts could be mentioned. Following similar past DDoS patterns, hackers focus on 2375, 2376, 2377, 4243, 4244, ports they check while looking for other vulnerable instances. Server data gathering attempts also make parts of the threat actors’ attack arsenal. The server data they are interested in include CPU cores