Researchers observed TeamTNT, a threat group known to target cloud environments, in a campaign targeting cloud-native environments by compromising exposed Docker daemons. Using Docker Hub to distribute malware, the group employs cryptominers and the Sliver malware, enhancing their command and control capabilities. It is recommended to search for indicators of compromise in your environment, if any findings are identified, remove the files immediately and re-deploy workloads from a known clean state.
TeamTNT’s campaign exploits publicly accessible Docker daemons to initiate malware distribution and resource hijacking. Compromised servers are appended to Docker Swarms, allowing attackers to utilize victims' computational power indirectly for cryptomining, often renting it to third parties. The group replaces its Tsunami backdoor with Sliver malware, an advanced, stealthier framework supporting various C2 protocols like HTTPS, DNS, and mTLS. Their attack flow involves scanning for vulnerable systems using tools like Masscan, appending compromised servers to Docker Swarm, and deploying Alpine Linux containers with malicious payloads from Docker Hub.