Hackers are going after poorly configured Docker instances

containers
(Image credit: Pixabay)

Threat actors are continuing to exploit poorly configured Docker instances to conduct various malicious activities such as the installation of Monero cryptominers, warn cybersecurity researchers.

The ongoing campaign that began last month is being conducted by the TeamTNT hacking group, and was discovered by security experts at TrendMicro.

“Exposed Docker APIs have become prevalent targets for attackers as these allow them to execute their own malicious code with root privileges on a targeted host if security considerations are not accounted for,” note the researchers.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> <a href="https://project.tolunastart.com/tqsruntime/main?surveyData=LFFFsT0HpgsyUe0tTFumBJohXK8Sedt0ARpsCF4DRGR+oCoVbvd+2+d8+UNIIx4L" data-link-merchant="project.tolunastart.com"" target="_blank">Click here to start the survey in a new window <<

According to the researchers, the compromised container fetches various post-exploitation and lateral movement tools, including container escaping scripts, credential stealers, and cryptocurrency miners.

Building on previous campaign

According to TrendMicro, the same threat actor was observed collecting Docker Hub credentials in a previous campaign back in July. 

TrendMicro fathoms that Docker Hub accounts compromised in the earlier campaign are being used in the ongoing campaign to drop malicious Docker images. In fact, TrendMicro reports that it has seen over 150,000 pulls of images from the malicious Docker Hub accounts.

Besides installing cryptominers, the threat actors scan for other vulnerable Internet-exposed Docker instances, and perform container-to-host escapes to access the main network that hosts the compromised Docker instances.

TrendMicro also notes that while scanning for other vulnerable instances, the threat actors check ports that have been observed in past distributed denial-of-service (DDoS) botnet campaigns as well.

“This recent attack only highlights the increasing sophistication with which exposed servers are targeted, especially by capable threat actors like TeamTNT that use compromised user credentials to fulfill their malicious motives,” conclude the researchers, noting that they have already reached out to Docker, and the accounts involved in this attack have been removed.

Protect your servers using one of these best firewall apps and services, and ensure your computers are running these best endpoint protection tools to ward off all kinds of attacks.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.