Cybersecurity researchers have recently found two TeamTNT-controlled Docker Hub accounts that leak sensitive credentials. These findings came after cybersecurity teams implemented methods to utilise honeypots to peek at malicious activities in the cybersecurity landscape.
Most of the time, security experts actively search for exploited flaws, latest tricks, techniques & procedures (TTPs), and misconfigurations on platforms used by attackers. Hence, honeypots could prove to be an advantage to researchers to make a stealthy entry into the infrastructure manipulated by malicious entities.
The honeypots became the vector for the researchers to discover the compromised Docker Hub accounts managed by the TeamTNT threat group.
Researchers found multiple APIs leaking credentials from the Docker Hub accounts controlled by the TeamTNT hacking group.
A particular set of researcher-owned honeypots discovered two TeamTNT-controlled Docker Hub accounts, ‘alpineos’ and ‘sandeep078’, that leaked credentials through several exposed Docker REST Application Programming Interface (APIs).
The threat group heavily utilised the attacker-controlled Docker Hub profiles to launch malicious images that contain XMRig Monero miners, credential stealers, rootkits, docker escape kits, Kubernetes exploit kits and Kinsing malware.
The ‘alpineos’ account hosted more container images to approximately 150,000 pulls than the ‘sandeep078’ account. In addition, alpineos were constantly used by the TeamTNT threat group in most of its exploitation attempts.
It was also found that most of the IP addresses used by the adversaries in its attacks were in Germany.
The researchers elaborated that the threat group were logged into their accounts in the DockerHub’s registry but forgot to log out, which became an opportunity for them to scour its exploits. The researchers also noticed that the attackers used their alpineos account credentials to log in to the Docker Hub.
Most organisations are adopting cloud systems as their container for infrastructure. Hence, these entities should secure cloud services to avoid cyber threats.
Unfortunately, malicious threat groups actively exploit poorly configured infrastructures to execute cryptojacking and supply chain campaigns.
Experts urge organisations to employ required security protocols to guard Docker containers. They should also organise policies for credential and access uses and training developers in dealing with threat models in these areas of cybersecurity.
