The d8s-xml for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0.

We discovered a potential code execution backdoor in version 0.1.0 of the project, the backdoor is the democritus-strings package. Attackers can upload democritus-strings packages containing arbitrary malicious code. For the safety of this project, the democritus-strings package has been uploaded by us.

The democritus-strings package can be successfully installed using pip install d8s-xml==0.1.0

Suggestion: remove version 0.1.0 of this project in PyPI

CVE-2022-38886: code execution backdoor · Issue #10 · democritus-project/d8s-xml

The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The democritus-strings package. The affected version is 0.1.0.

**Project description**

**Democritus Python**

      

Democritus functions\[1\] for working with Python data (code and ASTs).

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

We use d8s (pronounced "dee-eights") as an abbreviation for democritus (you can read more about this here).

**Installation**

    pip install d8s-python
    

**Usage**

You import the library like:

from d8s\_python import \*

Once imported, you can use any of the functions listed below.

**Functions**

*   def python\_functions\_signatures(
        code\_text: str,
        \*,
        ignore\_private\_functions: bool \= False,
        ignore\_nested\_functions: bool \= False,
        keep\_function\_name: bool \= False,
    ) \-> List\[str\]:
        """Return the function signatures for all of the functions in the given code\_text."""
    
*   def python\_todos(code\_text: str, todo\_regex: str \= 'TODO:.\*') \-> List\[str\]:
        """Return all todos in the given code\_text that match the given todo\_regex."""
    
*   def python\_make\_pythonic(name: str) \-> str:
        """Make the name pythonic.
    
    (e.g. 'fooBar' => 'foo\_bar', 'foo-bar' => 'foo\_bar', 'foo bar' => 'foo\_bar', 'Foo Bar' => 'foo\_bar')."""
    
*   def python\_namespace\_has\_argument(namespace: argparse.Namespace, argument\_name: str) \-> bool:
        """."""
    
*   def python\_traceback\_prettify(traceback: str) \-> str:
        """Return a string with the given traceback pretty-printed."""
    
*   def python\_traceback\_pretty\_print(traceback: str) \-> None:
        """Return a string with the given traceback pretty-printed."""
    
*   def python\_clean(code\_text: str) \-> str:
        """Clean python code as it is often found in documentation and snippets."""
    
*   def python\_function\_blocks(
        code\_text: str, \*, ignore\_private\_functions: bool \= False, ignore\_nested\_functions: bool \= False
    ) \-> List\[str\]:
        """Find the code (as a string) for every function in the given code\_text."""
    
*   def python\_line\_count(python\_code: str, \*, ignore\_empty\_lines: bool \= True) \-> int:
        """Return the number of lines in the given function\_text."""
    
*   def python\_function\_lengths(code\_text: str) \-> List\[int\]:
        """Find the lengths of each function in the given code\_text."""
    
*   def python\_version() \-> str:
        """Return the python version of the current environment."""
    
*   def python\_is\_version\_2() \-> bool:
        """Return whether or not the python version of the current environment is v2.x."""
    
*   def python\_is\_version\_3() \-> bool:
        """Return whether or not the python version of the current environment is v3.x."""
    
*   def python\_files\_using\_function(function\_name: str, search\_path: str) \-> List\[str\]:
        """Find where the given function is used in the given search path."""
    
*   def python\_keywords() \-> List\[str\]:
        """Get a list of the python keywords."""
    
*   def python\_object\_properties\_enumerate(
        python\_object: Any, \*, run\_methods: bool \= True, internal\_properties: bool \= True
    ) \-> None:
        """Enumerate and print out the properties of the given object."""
    
*   def python\_copy\_deep(python\_object: Any) \-> Any:
        """Return a deep (complete, recursive) copy of the given python object."""
    
*   def python\_copy\_shallow(python\_object: Any) \-> Any:
        """Return shallow copy of the given python object."""
    
*   def python\_file\_names(path: str, \*, exclude\_tests: bool \= False) \-> List\[str\]:
        """Find all python files in the given directory."""
    
*   def python\_fstrings(code\_text: str, \*, include\_braces: bool \= False) \-> Iterator\[str\]:
        """Find all of the python formatted string literals in the given text. See https://realpython.com/python-f-strings/ for more details about f-strings."""
    
*   def python\_code\_details(code\_text: str):
        """Get details about the given code\_text. This is a wrapper for \`dis.code\_info\`"""
    
*   def python\_disassemble(code\_text: str):
        """Disassemble the python code\_text. This is a wrapper for \`dis.dis\`"""
    
*   def python\_stack\_local\_data():
        """Get local data in the current python environment."""
    
*   def python\_object\_doc\_string(python\_object: Any) \-> Union\[str, None\]:
        """Get the doc string for the given python object (e.g. module, function, or class)."""
    
*   def python\_object\_source\_file(python\_object: Any) \-> str:
        """Get the source file for the given python object (e.g. module, function, or class)."""
    
*   def python\_object\_module(python\_object: Any) \-> str:
        """Get the module for the given python object (e.g. function or class)."""
    
*   def python\_object\_source\_code(python\_object: Any) \-> str:
        """Get the source code for the given python object (e.g. module, function, or class)."""
    
*   def python\_object\_signature(python\_object: Any) \-> str:
        """Get the argument signature for the given python object (e.g. module, function, or class)."""
    
*   def python\_sort\_type\_list\_by\_name(python\_type\_list: List\[type\], \*\*kwargs) \-> List\[type\]:
        """."""
    
*   def python\_type\_name(python\_type: type) \-> str:
        """Return the common name of the given type."""
    
*   def python\_object\_type\_to\_word(python\_object: Any) \-> str:
        """Convert the given python type to a string."""
    
*   def python\_ast\_raise\_name(node: ast.Raise) \-> Optional\[str\]:
        """Get the name of the exception raise by the given ast.Raise object."""
    
*   def python\_ast\_exception\_handler\_exceptions\_handled(handler: ast.ExceptHandler) \-> Optional\[Iterable\[str\]\]:
        """Return all of the exceptions handled by the given exception handler."""
    
*   def python\_ast\_exception\_handler\_exceptions\_raised(handler: ast.ExceptHandler) \-> Optional\[Iterable\[str\]\]:
        """Return the exception raised by the given exception handler."""
    
*   def python\_exceptions\_handled(code\_text: str) \-> Iterable\[str\]:
        """Return a list of all exceptions handled in the given code."""
    
*   def python\_exceptions\_raised(code\_text: str) \-> Iterable\[str\]:
        """Return a list of all exceptions raised in the given code."""
    
*   def python\_functions\_as\_import\_string(code\_text: str, module\_name: str) \-> str:
        """."""
    
*   def python\_ast\_object\_line\_number(ast\_object: object) \-> Optional\[int\]:
        """."""
    
*   def python\_ast\_object\_line\_numbers(ast\_object: object) \-> Tuple\[int, int\]:
        """."""
    
*   def python\_ast\_objects\_of\_type(
        code\_text\_or\_ast\_object: Union\[str, object\], ast\_type: type, \*, recursive\_search: bool \= True
    ) \-> Iterable\[object\]:
        """Return all of the ast objects of the given ast\_type in the code\_text\_or\_ast\_object."""
    
*   def python\_ast\_objects\_not\_of\_type(code\_text\_or\_ast\_object: Union\[str, object\], ast\_type: type) \-> Iterable\[object\]:
        """Return all of the ast objects which are not of the given ast\_type in the code\_text\_or\_ast\_object."""
    
*   def python\_ast\_parse(code\_text: str) \-> ast.Module:
        """."""
    
*   def python\_ast\_function\_defs(code\_text: str, recursive\_search: bool \= True) \-> Iterable\[ast.FunctionDef\]:
        """."""
    
*   def python\_function\_arguments(function\_text: str) \-> List\[ast.arg\]:
        """."""
    
*   def python\_function\_argument\_names(function\_text: str) \-> Iterable\[str\]:
        """."""
    
*   def python\_function\_argument\_defaults(function\_text: str) \-> List\[str\]:
        """."""
    
*   def python\_function\_argument\_annotations(function\_text: str) \-> List\[str\]:
        """."""
    
*   def python\_function\_names(
        code\_text: str, \*, ignore\_private\_functions: bool \= False, ignore\_nested\_functions: bool \= False
    ) \-> List\[str\]:
        """."""
    
*   def python\_function\_docstrings(
        code\_text: str, \*, ignore\_private\_functions: bool \= False, ignore\_nested\_functions: bool \= False
    ) \-> List\[str\]:
        """Get docstrings for all of the functions in the given text."""
    
*   def python\_variable\_names(code\_text: str) \-> List\[str\]:
        """Get all of the variables names in the code\_text."""
    
*   def python\_constants(code\_text: str) \-> List\[str\]:
        """Get all constants in the code\_text."""
    

**Development**

👋  If you want to get involved in this project, we have some short, helpful guides below:

*   contribute to this project 🥇
*   test it 🧪
*   lint it 🧹
*   explore it 🔭

If you have any questions or there is anything we did not cover, please raise an issue and we'll be happy to help.

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution****Built Distribution**

CVE-2022-38887: d8s-python

The d8s-domains for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0

Democritus functions to interact with Hypothesis.

*   Project description
*   Project details
*   Release history
*   Download files

**Project description**

    

Democritus functions\[1\] for working with Hypothesis.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

**Usage**

Coming soon...

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Project details**  

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution**

Close

**Hashes for democritus\_hypothesis-2021.1.2101.tar.gz**

Hashes for democritus\_hypothesis-2021.1.2101.tar.gz

Algorithm

Hash digest

SHA256

aaa683f5ebb4a282c1aad77f13359203bb2a3c71d09e282488dfa41df8bae818

MD5

d6621f711f0df829375fcab223aa0e7d

BLAKE2-256

39107eb111d7d7afb3d04c69aa3e5b431def25cc2660a84af1627aa5d9ec4d92

CVE-2022-40807: democritus-hypothesis

The d8s-domains for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-networking package. The affected version is 0.1.0

Democritus functions for working with network requests.

*   Project description
*   Project details
*   Release history
*   Download files

**Project description**

  

Democritus functions\[1\] for working with network requests.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

**Usage**

Coming soon...

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Project details**  

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution**

Close

**Hashes for democritus\_networking-2021.1.2101.tar.gz**

Hashes for democritus\_networking-2021.1.2101.tar.gz

Algorithm

Hash digest

SHA256

a139aafc83f392abc719a84a1733189899f3b8587bc84c5ac2d8835821343048

MD5

bf27bedf981bd377a7686a9ec91e6219

BLAKE2-256

7544ef1be47a0dc02723fda67e5fa4d685677a9deea42cce294be4b5a8c41185

CVE-2022-40427: democritus-networking

The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0.

**Project description**

**Democritus File System (Files and Directories)**

  

Democritus functions\[1\] for working with files and directories.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

**Usage**

Coming soon...

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution**

CVE-2022-40811: democritus-file-system

The d8s-dates for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0

We discovered a potential code execution backdoor in version 0.1.0 of the project, the backdoor is the democritus-hypothesis package. Attackers can upload democritus-hypothesis packages containing arbitrary malicious code. For the safety of this project, the democritus-hypothesis package has been uploaded by us.

The democritus-hypothesis package can be successfully installed using pip install d8s-dates==0.1.0

Suggestion: remove version 0.1.0 of this project in PyPI

CVE-2022-40808: code execution backdoor · Issue #26 · democritus-project/d8s-dates

The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The affected version is 0.1.0.

Democritus functions for working with Python strings.

*   Project description
*   Project details
*   Release history
*   Download files

**Project description**

  

Democritus functions\[1\] for working with Python strings.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

**Usage**

Coming soon...

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Project details**  

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution**

Close

**Hashes for democritus\_strings-2021.1.28901.tar.gz**

Hashes for democritus\_strings-2021.1.28901.tar.gz

Algorithm

Hash digest

SHA256

04da63d5eea60ed11af7ab04749cedaa30388d03af16a7f877e4a9b0e9ecdf73

MD5

e6f7519a554373579885a24d2556cfe6

BLAKE2-256

3473320cd60b905fcd09b4ba23ba254f6377a48ec6b0a6124298f7804eb0e1d7

CVE-2022-38880: democritus-strings

Alleged teen hacker claims he found an admin password in a network share inside Uber that allowed complete access to ride-sharing giant's AWS, Windows, Google Cloud, VMware, and other environments.

Questions are swirling around Uber's internal security practices after an 18-year-old hacker gained what appears to have been complete administrative access to critical parts of the company's IT infrastructure using an employee's VPN credentials as an initial access vector.

Numerous screenshots that the alleged attacker posted online suggest the intruder did not have to breach a single internal system to essentially pwn the ride-sharing giant's IT domain almost entirely.

So far, Uber has not disclosed details of the incident beyond saying that the company is responding to it and working with law enforcement to investigate the breach. So, at least some of what is being is reported about the incident is based on a New York Times report from Sept. 15 in which the teen claimed to have gained access to Uber's internal networks using credentials obtained from an employee via social engineering. The attacker used that access to move laterally across Uber's internal domain to other critical systems, including its email, cloud storage, and code repository environments.

Since then, he has posted numerous screen shots of internal systems at Uber to confirm the access he had obtained on it and how it was obtained.

The screenshots show the hacker gained full administrative access to Uber's AWS, Google Cloud, VMware vSphere, and Windows environments — as well as to a full database of vulnerabilities in its platform that security researchers have discovered and disclosed to the company via a bug bounty program managed by HackerOne. The internal data the attacker accessed appears to include Uber sales metrics, information on Slack, and even info from the company's endpoint detection and response (EDR) platform.

In a tweet thread that some security researchers reposted, Twitter user Corben Leo posted claims from the alleged hacker that he used the socially engineered credentials to access Uber's VPN and scan the company's intranet. The hacker described finding an Uber network share that contained PowerShell scripts with privileged admin credentials. "One of the PowerShell scripts contained the username and password for an admin user in Thycotic (PAM). Using this I was able to extract secrets for all services, DA, Duo, OneLogin, AWS, GSuite," the attacker claimed.

For now, the attacker's motivations are not very clear. Normally, it's pretty apparent, but the only thing that hacker has done so far is make a lot of noise, noted that Uber drivers should be paid more, and shared screenshots proving access.

"They seemed really young and maybe even a little sloppy. Some of their screenshots had open chat windows and a ton of metadata," says Sam Curry, a security engineer at Yuga Labs who has reviewed the screenshots,

**Pure-Play Social Engineering**

Invincible Security Group (ISG), a Dubai-based security services firm, claimed that its researchers had obtained a list of administrative credentials that the threat actor had gathered. "They seem to be strong passwords, which confirms that it was indeed a social-engineering attack that got him access to Uber's internal network," ISG tweeted.

Curry tells Dark Reading that the attacker appears to have gained initial access from compromising one employee's login information and social engineering that person's VPN two-factor authentication 2FA prompt.

"Once they had VPN access, they discovered a network drive with 'keys to the kingdom,' which allowed them to access \[Uber's\] cloud hosting as root on both Google Cloud Platform and Amazon Web Services," Curry notes. "This means they probably had access to every cloud deployment, which is likely the majority of Uber's running applications and cloud storage."

One significant fact is that the employee who was initially compromised worked in incident response, he notes, adding that normally such employees have access to many more tools within Uber's environment than average employees. 

"Having this level of access, and additionally the access they found in the PowerShell script, means that they probably didn’t have too many limitations to do whatever they wanted inside Uber," Curry says.  

In a series of tweets, independent security researcher Bill Demirkapi said the attacker appears to have gained persistent MFA access to the compromised account at Uber "by socially engineering the victim into accepting a prompt that allowed the attacker to register their own device for MFA."

"The fact that the attackers appear to have compromised an IR team member's account is worrisome," Demirkapi tweeted. "EDRs can bake in 'backdoors' for IR, such as allowing IR teams to 'shell into' employee machines (if enabled), potentially widening the attacker's access."

**Bug Bounty Data Access is "Problematic"**

The apparent fact that the attacker gained access to Uber vulnerability data submitted via its bug bounty program is also problematic, security experts say. 

Curry says he learned of the access after the hacker posted a comment about Uber being hacked on the company's bug bounty tickets. Curry had previously discovered and submitted a vulnerability to Uber, which if exploited would have permitted access to its code repositories. That bug was addressed, but it's unclear how many of the other vulnerabilities that have been disclosed to the company have been fixed, how many of them were unpatched, and what level of access those vulnerabilities could provide if exploited. The situation could become significantly worse if the hacker sells the vulnerability data to others.

"Bug bounty programs are an important layer in mature security programs," says Shira Shamban, CEO at Solvo. "A main implication here is that the hacker now knows about other vulnerabilities within the Uber IT environment and can use them to set up backdoors for future use, which is unsettling."

Vulnerability and pen-testing tools are important in enabling companies to better assess and improve the security postures, says Amit Bareket, CEO and co-founder of Perimeter 81. "However, if the correct security measures aren't put in place, these tools can turn into double-sided swords, enabling bad actors to take advantage of the sensitive information they may contain," he says. 

Companies should be aware of this and make sure such reports are protected and stored in encrypted form to avoid being misused for malicious intent, Bareket notes.

The latest incident is unlikely to do much to improve Uber's already somewhat dinged reputation for security. In October 2016, the company experienced a data breach that exposed sensitive information on some 57 million riders. But instead of disclosing the breach as it was required to, the company paid $100,000 to the security researchers that reported the breach in what was viewed as an attempt to pay them off. In 2018, the company settled a lawsuit over the incident for $148 million. It arrived at similar but much smaller settlements in lawsuits over the incidents in the UK and the Netherlands.

Attacker Apparently Didn't Have to Breach a Single System to Pwn Uber

A threat with a North Korea nexus has been found leveraging a "novel spear phish methodology" that involves making use of trojanized versions of the PuTTY SSH and Telnet client.
Google-owned threat intelligence firm Mandiant attributed the new campaign to an emerging threat cluster it tracks under the name UNC4034.
"UNC4034 established communication with the victim over WhatsApp and lured them

A threat with a North Korea nexus has been found leveraging a "novel spear phish methodology" that involves making use of trojanized versions of the PuTTY SSH and Telnet client.

Google-owned threat intelligence firm Mandiant attributed the new campaign to an emerging threat cluster it tracks under the name **UNC4034**.

"UNC4034 established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility," Mandiant researchers said.

The use of fabricated job lures as a pathway for malware distribution is an oft-used tactic by North Korean state-sponsored actors, including the Lazarus Group, as part of an enduring campaign called Operation Dream Job.

The entry point of the attack is an ISO file that masquerades as an Amazon Assessment as part of a potential job opportunity at the tech giant. The file was shared over WhatApp after establishing initial contact over email.

The archive, for its part, holds a text file containing an IP address and login credentials, and an altered version of PuTTY that, in turn, loads a dropper called DAVESHELL, which deploys a newer variant of a backdoor dubbed AIRDRY.

It's likely that the threat actor convinced the victim to launch a PuTTY session and use the credentials provided in the TXT file to connect to the remote host, effectively activating the infection.

AIRDRY, also known as BLINDINGCAN, has in the past been used by North Korea-linked hackers to strike U.S. defense contractors and entities in South Korea and Latvia.

While earlier versions of the malware came with nearly 30 commands for file transfer, file management, and command execution, the latest version has been found to eschew the command-based approach in favor of plugins that are downloaded and executed in memory.

Mandiant said it was able to contain the compromise before any further post-exploitation activities could take place following the deployment of the implant.

The development is yet another sign that the use of ISO files for initial access is gaining traction among threat actors to deliver both commodity and targeted malware.

The shift is also attributable to Microsoft's decision to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros for Office apps downloaded from the internet by default.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Spreading Trojanized Versions of PuTTY Client Application

Malicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware.
Cybersecurity company Trend Micro said it found the financially-motivated group leveraging the vulnerability to drop Python scripts with capabilities to disable operating system (OS) security features such as

Malicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware.

Cybersecurity company Trend Micro said it found the financially-motivated group leveraging the vulnerability to drop Python scripts with capabilities to disable operating system (OS) security features such as Security-Enhanced Linux (SELinux), and others.

The operators behind the Kinsing malware have a history of scanning for vulnerable servers to co-opt them into a botnet, including that of Redis, SaltStack, Log4Shell, Spring4Shell, and the Atlassian Confluence flaw (CVE-2022-26134).

The Kinsing actors have also been involved in campaigns against container environments via misconfigured open Docker Daemon API ports to launch a crypto miner and subsequently spread the malware to other containers and hosts.

The latest wave of attacks entails the actor weaponizing CVE-2020-14882 (CVSS score: 9.8), a two-year-old remote code execution (RCE) bug, against unpatched servers to seize control of the server and drop malicious payloads.

It's worth noting that the vulnerability has been exploited in the past by multiple botnets to distribute Monero miners and the Tsunami backdoor on infected Linux systems.

Successful exploitation of the flaw was succeeded by the deployment of a shell script that's responsible for a series of actions: Removing the /var/log/syslog system log, turning off security features and cloud service agents from Alibaba and Tencent, and killing competing miner processes.

The shell script then proceeds to download the Kinsing malware from a remote server, while also taking steps to ensure persistence by means of cron job.

"The successful exploitation of this vulnerability can lead to RCE, which can allow attackers to perform a plethora of malicious activities on affected systems," Trend Micro said. "This can range from malware execution \[...\] to theft of critical data, and even complete control of a compromised machine."

****TeamTNT actors make a comeback with the Kangaroo Attack****

The development comes as researchers from Aqua Security identified three new attacks linked to another "vibrant" cryptojacking group called TeamTNT, which voluntarily shut shop in November 2021.

"TeamTNT has been scanning for a misconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to download a shell script (k.sh) to a C2 server," Aqua Security researcher Assaf Morag said.

What's notable about the attack chain is that it appears to be designed to break SECP256K1 encryption, which, if successful, could give the actor the ability to calculate the keys to any cryptocurrency wallet. Put differently, the idea is to leverage the high but illegal computational power of its targets to run the ECDLP solver and get the key.

Two other attacks mounted by the group entail the exploitation of exposed Redis servers and misconfigured Docker APIs to deploy coin miners and Tsunami binaries.

TeamTNT's targeting of Docker REST APIs has been well-documented over the past year. But in an operational security blunder spotted by Trend Micro, credentials associated with two of the attacker-controlled DockerHub accounts have been uncovered.

The accounts – alpineos and sandeep078 – are said to have been used to distribute a variety of malicious payloads like rootkits, Kubernetes exploit kits, credential stealers, XMRig Monero miners, and even the Kinsing malware.

"The account alpineos was used in exploitation attempts on our honeypots three times, from mid-September to early October 2021, and we tracked the deployments' IP addresses to their location in Germany," Trend Micro's Nitesh Surana said.

"The threat actors were logged in to their accounts on the DockerHub registry and probably forgot to log out." Alternatively, "the threat actors logged in to their DockerHub account using the credentials of alpineos."

Trend Micro said the malicious alpineos image had been downloaded more than 150,000 times, adding it notified Docker about these accounts.

It's also recommending organizations to configure the exposed REST API with TLS to mitigate adversary-in-the-middle (AiTM) attacks, as well as use credential stores and helpers to host user credentials.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#backdoor