Security News > 2021 > November > TeamTNT hackers target your poorly configured Docker servers
Poorly configured Docker servers and being actively targeted by the TeamTNT hacking group in an ongoing campaign started last month.
As illustrated in an attack workflow, the attack starts with creating a container on the vulnerable host using an exposed Docker REST API. TeamTNT then uses compromised, or actor-controlled Docker Hub accounts to host malicious images and deploy them on a targeted host.
TrendMicro reports that this campaign also uses compromised Docker Hub accounts controlled by TeamTNT to drop malicious Docker images.
The actors were spotted collecting Docker Hub credentials in a previous campaign analyzed by TrendMicro in July when credentials stealers were deployed in attacks.
TeamTNT is a sophisticated actor that constantly evolves its techniques, shifts short-term targeting focus but remains a constant threat to vulnerable Docker systems.
Docker provides some "Mandatory" tips that can be used lock down Docker's REST API and prevent these types of attacks.
News URL
Related news
- US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers (source)
- CISA: Hackers abuse F5 BIG-IP cookies to map internal servers (source)
- Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks (source)
- Perfctl malware strikes again as crypto-crooks target Docker Remote API servers (source)