Docker Security Alert as TeamTNT Deploys Rootkits and Cryptominers

Threat Group: TeamTNT
Threat Type: Cryptojacking, Cloud Container Exploitation
Exploited Vulnerabilities: Misconfigured Docker APIs, SSH vulnerabilities in cloud environments
Malware Used: Custom cryptomining scripts, Tsunami malware, Diamorphine rootkit
Threat Score: Critical (9/10) — due to sophisticated, automated methods targeting widespread containerized and cloud infrastructures
Last Threat Observation: October 2024, by Group-IB and Aqua Security

Overview

TeamTNT has renewed its focus on targeting Docker and Kubernetes environments in cloud-based infrastructures. Their tactics involve exploiting exposed Docker APIs, deploying rootkits, and using malware that includes the Tsunami backdoor and customized cryptomining scripts to establish persistent control, hijack resources, and escalate privileges within cloud environments.

Key Details

• Delivery Method: Exploits exposed Docker APIs, brute-force SSH attacks.
• Target: Docker and Kubernetes environments, CentOS VPS instances.
• Functions:
  • Access Establishment: Compromises Docker environments through open API endpoints.
  • Resource Hijacking: Deploys cryptomining payloads for Monero mining.
  • Persistence Mechanisms: Installs the Diamorphine rootkit to evade detection.
  • Credential Theft: Steals cloud credentials and Docker Hub credentials.
  • Container-to-Host Escapes: Uses scripts to gain root access on host systems.
  • Obfuscation: The Diamorphine rootkit conceals malicious activity on systems.

Attack Vectors

TeamTNT’s primary approach includes targeting misconfigured Docker APIs and exposed SSH ports, allowing unauthorized access to deploy malicious Docker images and containers. These contain cryptominers and backdoors, capable of lateral movement across cloud environments, escalating the threat of widespread compromise across targeted infrastructure.

Known Indicators of Compromise (IoCs)

IP Addresses (Defanged)

• 45[.]154[.]2[.]77
• 95[.]182[.]101[.]23

File Hashes

MD5:

• 0bc189bb53c9c92322e7b2fd6ac68bd7
• 64c3ac5a0f4318f64f438e78a6b42d40
• 8b553728900ba2e45b784252a1ff6d17
• 9dc2819c176c60e879f28529b1b08da1
• a733160e0603207d8328ddb025c43d42
• b62ce36054a7e024376b98df7911a5a7
• db2fbe4d00b222cab6dd00cdfdd38e31
• fdf9c2f7221de9f3567fc094d5e759a9

SHA1:

• 4d2f3239485c240e49378f35755aed0e1139bc89
• 93be59c62972235cdb8f8a4a38cb5cfd732425bb
• efc0142857d1d8ee454286fb1b4587dad6762e0c

SHA256:

• 0af1b8cd042b6e2972c8ef43d98c0a0642047ec89493d315909629bcf185dffd
• 43545f6cd370e6f200347bd9bbafdc3d94240775d816cd5e24dc8072d0f1c9b5
• 5bb45f372fb4df6a9c6a5460fa1845f5e96af53aa41939eb251cbe989a5cac6c

Mitigation and Prevention

1. Secure Docker APIs: Limit Docker API access to trusted networks, enforce HTTPS, and implement robust authentication measures.
2. SSH Hardening: Limit SSH access to specific IPs, disable password logins, and employ key-based authentication.
3. Monitoring and Response: Implement container-specific monitoring solutions to detect unusual Docker container activity.
4. Rootkit Detection: Use rootkit detection tools such as rkhunter or chkrootkit to detect the Diamorphine rootkit.
5. Cron Job Audits: Regularly review cron jobs for unauthorized entries.
6. Network Segmentation: Enforce strict access control within Kubernetes and Docker networks to prevent unauthorized lateral movement.

Conclusion

TeamTNT’s renewed activity emphasizes the need for organizations to implement strong security measures around Docker and Kubernetes. With their evolving toolkit and sophisticated approach to cloud environments, securing API endpoints, monitoring for unusual activity, and enforcing strict access policies are crucial for mitigating these threats effectively.

Sources

• AlienVault, Threat Intelligence Database
• Infosecurity Magazine, "Experts Warn of Impending TeamTNT Docker Attacks"
• SC Media, "TeamTNT Takes Down Docker Containers, Kubernetes Clusters"
• CyberMaterial, "TeamTNT Targets CentOS Servers with Rootkit"