Docker Gatling Gun Campaign

Oct. 29, 2024, 1:57 p.m.

Description

Recent research has uncovered a new malicious campaign orchestrated by the notorious hacking group TeamTNT. This campaign exploits exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, utilizing compromised servers and Docker Hub as infrastructure for spreading their malicious payloads. TeamTNT is leveraging native cloud capabilities by appending compromised Docker instances to a Docker Swarm and using Docker Hub to store and distribute their malware, aiming to rent out victim's computational resources to third parties for cryptomining operations.

External References

https://www.aquasec.com/blog/threat-alert-teamtnts-docker-gatling-gun-campaign/?utm_campaign=General+website&utm_medium=email&_hsenc=p2ANqtz-92AbUxDf890WmIltI9X2LhL0FpMu9OhPLNQDdxetpcr8SI9czknB4Dc_4xvXmgaLfujLJonLpOoavAi_VrNIvPqpT_HnHtUpkyemNm2rQ1rWKTnuY&_hsmi=330821549&utm_content=330821549&utm_source=hs_email
https://otx.alienvault.com/pulse/6720e8610825425e5d5cee81
Tags
campaign
sliver
malicious
cryptomining
docker
tsunami
2024-10-26
exposed-daemons
cloud-native
container-security
docker-swarm
docker-hub
2024-10-29
prochider

Date

  • Created: Oct. 29, 2024, 1:51 p.m.
  • Published: Oct. 29, 2024, 1:51 p.m.
  • Modified: Oct. 29, 2024, 1:57 p.m.

Indicators

  • 5bb45f372fb4df6a9c6a5460fa1845f5e96af53aa41939eb251cbe989a5cac6c
  • 43545f6cd370e6f200347bd9bbafdc3d94240775d816cd5e24dc8072d0f1c9b5
  • 0af1b8cd042b6e2972c8ef43d98c0a0642047ec89493d315909629bcf185dffd
  • 95.182.101.23
  • 45.154.2.77
  • devnull.anondns.net
  • teamtnt.red
  • solscan.store
  • solscan.online
  • solscan.one
  • solscan.life
Download all indicators here!

Attack Patterns

  • prochider
  • Sliver
  • TeamTNT