The ongoing campaign that began last month is being conducted by the TeamTNT hacking group, and was discovered by security experts at TrendMicro.
“Exposed Docker APIs have become prevalent targets for attackers as these allow them to execute their own malicious code with root privileges on a targeted host if security considerations are not accounted for,” note the researchers.
According to the researchers, the compromised container fetches various post-exploitation and lateral movement tools, including container escaping scripts, credential stealers, and cryptocurrency miners.
Building on previous campaign
According to TrendMicro, the same threat actor was observed collecting Docker Hub credentials in a previous campaign back in July.
TrendMicro fathoms that Docker Hub accounts compromised in the earlier campaign are being used in the ongoing campaign to drop malicious Docker images. In fact, TrendMicro reports that it has seen over 150,000 pulls of images from the malicious Docker Hub accounts.
Besides installing cryptominers, the threat actors scan for other vulnerable Internet-exposed Docker instances, and perform container-to-host escapes to access the main network that hosts the compromised Docker instances.
TrendMicro also notes that while scanning for other vulnerable instances, the threat actors check ports that have been observed in past distributed denial-of-service (DDoS) botnet campaigns as well.
“This recent attack only highlights the increasing sophistication with which exposed servers are targeted, especially by capable threat actors like TeamTNT that use compromised user credentials to fulfill their malicious motives,” conclude the researchers, noting that they have already reached out to Docker, and the accounts involved in this attack have been removed.