216.73.217.22

Docker Gatling Gun Campaign

· Published 29/10/2024 13:51 · Modified 29/10/2024 13:57

Export JSON

Essential information

Published
29/10/2024 13:51
Modified
29/10/2024 13:57
Tags
2024-10-26 2024-10-29 campaign cloud-native container security cryptomining docker docker hub docker swarm exposed-daemons malicious prochider sliver tsunami
Related entities
11 observables, 1 intrusion sets (apt), 14 techniques (mitre), 2 malware

Description

Recent research has uncovered a new orchestrated by the notorious hacking group TeamTNT. This exploits exposed daemons to deploy malware, a cyber worm, and cryptominers, utilizing compromised servers and as infrastructure for spreading their payloads. TeamTNT is leveraging native cloud capabilities by appending compromised instances to a and using to store and distribute their malware, aiming to rent out victim's computational resources to third parties for operations.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (11)

  • 95.182.101.23
  • 45.154.2.77
  • devnull.anondns.net
  • teamtnt.red
  • solscan.store
  • solscan.online
  • solscan.one
  • solscan.life
  • 5bb45f372fb4df6a9c6a5460fa1845f5e96af53aa41939eb251cbe989a5cac6c
  • 43545f6cd370e6f200347bd9bbafdc3d94240775d816cd5e24dc8072d0f1c9b5
  • 0af1b8cd042b6e2972c8ef43d98c0a0642047ec89493d315909629bcf185dffd

Intrusion sets (APT) (1)

  • TeamTNT
    The MITRE Corporation Confidence 100

    [TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13

Techniques (MITRE) (14)

  • T1589
    Gather Victim Identity Information
  • T1185
    Browser Session Hijacking
  • T1119
    Automated Collection
  • T1137
    Office Application Startup
  • T1539
    Steal Web Session Cookie
  • T1583
    Acquire Infrastructure
  • T1567
    Exfiltration Over Web Service
  • T1555
    Credentials from Password Stores
  • T1199
    Trusted Relationship
  • T1218
    System Binary Proxy Execution
  • T1496
    Resource Hijacking
  • T1053
    Scheduled Task/Job
  • T1190
    Exploit Public-Facing Application
  • T1059
    Command and Scripting Interpreter

Malware (2)

  • prochider
    Family
    Published 29/10/2024 13:51 · Modified 29/10/2024 13:51
  • Sliver
    Family
    Published 12/06/2026 21:29 · Modified 12/06/2026 21:29

External references