Headline
TeamTNT Exploits 16 Million IPs in Malware Attack on Docker Clusters
This article details a new campaign by TeamTNT, a notorious hacking group, leveraging exposed Docker daemons to deploy…
This article details a new campaign by TeamTNT, a notorious hacking group, leveraging exposed Docker daemons to deploy malware, using compromised servers and Docker Hub to spread their attacks. They also use cryptomining to earn money from their victims’ computational power.
Cybersecurity researchers at Aqua Nautilus have discovered a new hacking campaign by Adept Libra (aka TeamTNT), targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers.
TeamTNT is a notorious hacking group known for aggressive and persistent attacks on cloud-native environments. The group is known for exploiting vulnerabilities in Docker daemons and Kubernetes clusters to deploy malware and hijack resources for cryptocurrency mining.
In a recent campaign, TeamTNT compromised a legitimate Docker Hub account (nmlm99) to host malicious software, uploading around 30 images divided into two categories: infrastructure and impact. The infrastructure images are used to spread malware, while the impact images focus on mining cryptocurrency or renting out computing power.
Attack flow and TeamTNT’s signature
TeamTNT is using Docker Gatling Gun, which scans a massive range of IP addresses (around 16.7 million) for vulnerabilities in Docker daemons running on specific ports (2375, 2376, 4243, and 4244). If a vulnerability is found, a container from a compromised TeamTNT Docker Hub account is deployed, running a minimal Alpine Linux operating system and executing a malicious script called “TDGGinit.sh”. This script likely sets the stage for further malicious activity on the compromised system.
“TeamTNT deploys among other a local search of keys and credentials, such as SSH, cloud metadata server calls etc. Once they gain access, they store and disseminate their malware through these accounts,” the report read.
To evade detection, TeamTNT employs the Sliver malware, a more advanced and stealthier tool compared to their previous tool, Tsunami. They also use familiar names like Chimaera and Bioset to blend in with legitimate processes. Additionally, they steal credentials and scan networks for further targets.
For command and control, TeamTNT relies on web servers, Docker Hub, and various communication protocols like DNS, mTLS, and potentially proxies. Ultimately, their goal is to hijack resources for cryptocurrency mining or sell access to the compromised systems.
To mine cryptocurrency, such as Monero, TeamTNT uses various mining software, including XMRig, T-Rex, CGMiner, BFGMiner, and SGMiner. They often optimize mining operations by targeting specific hardware and software configurations.
This campaign shows TeamTNT’s ability to adapt and evolve, urging organizations to be alert and upgrade their cybersecurity. The group is highly skilled and motivated and is not afraid to take risks. To protect against TeamTNT risks, organizations must invest in strong security practices, including software updates and network infrastructure security.
- Google Kubernetes Engine Flaws Could Allow Cluster Takeover
- OracleIV DDoS Botnet Malware Hits Docker Engine API Instances
- Malware Exploits 9Hits, Turns Docker Servers into Crypto Miners
- Linux Malware Alert: Spinning YARN Hits Docker, Other Key Apps
- Cryptomining, Malware Flourish on Exposed Kubernetes Clusters