The cybercriminal group TeamTNT has been observed leaking credentials to their attacker-controlled DockerHub accounts. The discovery was made by Trend Micro researchers who set up a number of honeypots based on exposed Docker REST APIs to track malicious activities.
“Our honeypots showed threat actor TeamTNT were leaking credentials from at least two of their attacker-controlled DockerHub accounts, namely alpineos (with over 150,000 pulls) and sandeep078 (with 200 pulls),” Trend Micro said in a report.
These DockerHub accounts were actively used to deploy malicious images containing rootkits, Docker escape kits, XMRig Monero miners, credential stealers, Kinsing malware, Kubernetes exploit kits.
Of the two above mentioned the ‘alpineos’ account, which hosted malicious container images with over 150,000 pulls, was more notable, the researchers said. They were able to trace the IP addresses used in exploitation attempts against the honeypots to the location in Germany.
“The threat actors were logged in to their accounts on the DockerHub registry and probably forgot to log out. Unless a user is not logged out manually, the header “X-Registry-Auth" stores the credentials,” Trend Micro explained.
The researchers said they identified a total of 30 accounts that were compromised, the credentials for which were being leaked. The registries for these were DockerHub and Alibaba Cloud Container Registry. The research team said they didn’t access credentials that might have been abused by TeamTNT, and informed Docker about the compromised accounts.
TeamTNT’s accounts were discovered because of the several mistakes made by one of its members.
The researchers provided three possible scenarios in which the user could have made this error:
-
The threat actors logged in to their DockerHub account using the credentials of alpineos.
-
The threat actors’ machines were self-infected and were not using credential helpers.
-
The threat actors didn’t log out from their DockerHub account while attacking exposed Docker REST API servers.
“Organizations’ security teams need to be aware that developer security is critical considering this type of compromise around developer-centric tools like Docker have been observed being abused by threat actors. We advise that teams create policies for access and credential use, as well as generate threat models of their environments. Security teams can use these to educate developers about what can go wrong,” Trend Micro advised.