Hackers are going after poorly configured Docker instances

Exposed Docker APIs have become popular targets, suggests new campaign

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Threat actors are continuing to exploit poorly configuredDocker instancesto conduct various malicious activities such as the installation of Monerocryptominers, warncybersecurityresearchers.

The ongoing campaign that began last month is being conducted by the TeamTNT hacking group, and was discovered by security experts atTrendMicro.

“Exposed Docker APIs have become prevalent targets for attackers as these allow them to execute their own malicious code with root privileges on a targeted host if security considerations are not accounted for,”notethe researchers.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

According to the researchers, the compromised container fetches various post-exploitation and lateral movement tools, including container escaping scripts, credential stealers, andcryptocurrencyminers.

Building on previous campaign

According to TrendMicro, the same threat actor was observed collecting Docker Hub credentials in aprevious campaignback in July.

TrendMicro fathoms that Docker Hub accounts compromised in the earlier campaign are being used in the ongoing campaign to drop malicious Docker images. In fact, TrendMicro reports that it has seen over 150,000 pulls of images from the malicious Docker Hub accounts.

Besides installing cryptominers, the threat actors scan for other vulnerable Internet-exposed Docker instances, and perform container-to-host escapes to access the main network that hosts the compromised Docker instances.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

TrendMicro also notes that while scanning for other vulnerable instances, the threat actors check ports that have been observed in past distributed denial-of-service (DDoS) botnet campaigns as well.

“This recent attack only highlights the increasing sophistication with which exposed servers are targeted, especially by capable threat actors like TeamTNT that use compromised user credentials to fulfill their malicious motives,” conclude the researchers, noting that they have already reached out to Docker, and the accounts involved in this attack have been removed.

Protect your servers using one of thesebest firewallapps and services,and ensure your computers are running thesebest endpoint protection toolsto ward off all kinds of attacks.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well