TeamTNT Attacks Honeypots Exposing their Own Credentials
Industry: N/A | Level: Tactical | Source: Trend Micro
Honeypots setup by Trend Micro has provided insights into activity from a TeamTNT operator attempting to exploit misconfigured Docker servers to compromise credentials. Trend Micro lured threat actors by exposing the Docker REST API, resulting in the identification of two TeamTNT docker accounts, "Our honeypots showed threat actor TeamTNT were leaking credentials from at least two of their attacker-controlled DockerHub accounts, namely alpineos (with over 150,000 pulls) and sandeep078 (with 200 pulls). We have notified Docker about these accounts." Network traffic analysis involving the creation of a new container shows values in the X-Registry-Auth header containing the client's credentials in a base64 encoded string. "Upon analysis, the credentials can be seen in the aforementioned header X-Registry-Auth only because the client initiating the request to create a container on a target server had authenticated it to their DockerHub container registry." Compromised docker accounts could be leveraged by the threat actor to check for password reuse on the victim's email and enterprise accounts, or contaminate the victim's build pipeline to facilitate a supply-chain attack. TeamTNT operators appeared to have targeted this logging mechanism to compromise credentials, however, the honeypot ended up revealing their attack plan. Three scenarios are proposed by Trend Micro theorizing how the threat actor ended up leaking their own credentials: (1) direct login with alpineos credentials, (2) self-infected by not leveraging docker credential helpers, or (3) forgetting to logout from the Dockerhub account. "The threat actors were logged in to their accounts on the DockerHub registry and probably forgot to log out. Unless a user is not logged out manually, the header X-Registry-Auth stores the credentials." Three exploitation attempts were made from the threat group between mid-September to early October 2021. Tracing the IP address discovered the deployments were made from Germany. Based on the observed activity, the threat actors were likely to attempt to perform cryptojacking.