Full Report
Researchers observed TeamTNT, a threat group known to target cloud environments, in a campaign targeting cloud-native environments by compromising exposed Docker daemons. Using Docker Hub to distribute malware, the group employs cryptominers and the Sliver malware, enhancing t...
Analysis Summary
# Threat Actor: TeamTNT
## Attribution & Identity
Threat Group known to target cloud environments.
## Activity Summary
Observed in a campaign called "Docker Gatling Gun," targeting cloud-native environments by compromising exposed Docker daemons. This campaign involves distributing malware, cryptominers, and the Sliver malware for enhanced command and control.
## Tactics, Techniques & Procedures
- Initial Access via Software misconfiguration (exposed Docker daemons).
- Public malicious container image distribution (via Docker Hub).
- Misconfigured Docker abuse.
- Resource hijacking (cryptomining using victim computational power, often rented to third parties).
- Appending compromised servers to Docker Swarms.
- Scanning for vulnerable systems using tools like Masscan.
## Targeting
- Sectors: Cloud-native environments.
- Geography: Not specified in the provided context.
- Victims: Organizations utilizing compromised/exposed Docker daemons.
## Tools & Infrastructure
- Malware families used: Sliver malware (replacing Tsunami backdoor), Cryptominers.
- Infrastructure: Docker Hub (for malware distribution).
## Implications
TeamTNT is capable of utilizing compromised cloud infrastructure for significant resource hijacking (cryptomining, potentially monetized through renting resources). The shift towards the stealthier Sliver malware indicates an effort to enhance C2 resilience and persistence.
## Mitigations
- Search for indicators of compromise (IoCs) in the environment.
- Immediately remove any identified malicious files.
- Re-deploy workloads from a known clean state.
- Secure or restrict access to exposed Docker daemons.