TeamTNT Intensifies Docker Exploits for Cryptocurrency Mining

TeamTNT Recruits Docker Servers in New Cryptojacking Blitz

TeamTNT, a notorious cryptojacking group, is gearing up for a large-scale cyberattack campaign targeting cloud-native environments. The group is known for exploiting exposed Docker daemons to mine cryptocurrencies and rent out compromised servers to third parties. According to a report by Assaf Morag, director of threat intelligence at Aqua, TeamTNT is using Docker Hub as the infrastructure to spread malware, including the Sliver malware, a cyber worm, and cryptominers.

Datadog recently detected early signs of the campaign, which aims to compromise Docker environments and incorporate them into a Docker Swarm. The campaign focuses on mass-scanning for unauthenticated Docker API endpoints, with attacks initiated through a script that targets ports on millions of IP addresses.

Monetizing Compromised Servers for Crypto Mining

Once the servers are compromised, TeamTNT uses them to mine cryptocurrencies like Monero. Additionally, they rent the computational power of infected servers to other users via Mining Rig Rentals, a mining rental platform. This diversification highlights the maturity of their illicit business model. The group also switched from using the Tsunami backdoor to the open-source Sliver command-and-control framework, a move that showcases their ability to evolve tactics.

Wider Threat to Cloud Security

The group’s persistent attacks involve executing malicious commands via Docker containers and deploying an Alpine Linux image through a compromised Docker Hub account. These campaigns not only target cloud environments for crypto mining but also further spread their malicious payloads by using Anonymous DNS (anondns) to hide their web servers.

Cryptocurrency mining remains a lucrative target for cybercriminals, with attackers using compromised systems to mine digital currencies like Monero without the victim's knowledge. This allows threat actors to profit while staying under the radar, emphasizing the need for better cloud security and monitoring to prevent such attacks.