Researchers at Trend Micro have documented a botnet named TeamTNT, which is stealing Docker credentials now. TeamTNT infects the hosts through exposed Docker APIs and installs cryptocurrency miners for mining coins. Also, it steals AWS credentials besides earning cryptocurrencies.
An Upgraded TeamTNT Botnet
TeamTNT, a cryptocurrency mining botnet that exploits Docker APIs to gain access into victims’ servers. It was first noted by Trend Micro researchers in mid-2020, who detailed it’s activities as it cashes on misconfigured Docker APIs, to get in and install cryptocurrency mining software for earning the coins.
System operators using Docker software and leaving its ports open without any authentication are targeted by TeamTNT. They exploit this to get in and are said to be stealing AWS credentials and install their mining software to mint cryptocurrencies.
Now, the same researchers have said this botnet was upgraded to steal even the Docker credentials.
While it used AWS credentials for pivoting into the host’s network (individual or a company) and spread to other connected machines to install crypto mining software and earn more. This made the TeamTNT the first such botnet to steal AWS credentials besides earning cryptocurrencies.
Now, regarding the new update, Trend Micro’s senior security researcher, Alfredo Oliveira said,
“the development technique was much more refined for this script.” Further, “there were no more endless lines of code, and the samples were well-written and organized by function with descriptive names.”
Since stealing Docker’s credentials gives it more advantages, he warned the users to set firewalls to limit the port access, besides just setting strong passwords. Closing the dormant ports, and strictly limiting the access to only a few can wave most of the botnet attacks, as we learn from the past.