Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

TeamTNT Hackers Target Your Poorly Configured Docker Servers

TeamTNT Hackers Target Your Poorly Configured Docker Servers

Poorly configured Docker servers and being actively targeted by the TeamTNT hacking group in an ongoing campaign started last month.

According to a report by researchers at TrendMicro, the actors have three distinct goals: to install Monero cryptominers, scan for other vulnerable Internet-exposed Docker instances, and perform container-to-host escapes to access the main network.

As illustrated in an attack workflow, the attack starts with creating a container on the vulnerable host using an exposed Docker REST API.

Also Read: The 5 Important Things To Know In Security Pen Testing

TeamTNT Docker abuse workflow
TeamTNT Docker abuse workflow
Source: TrendMicro

TeamTNT then uses compromised, or actor-controlled Docker Hub accounts to host malicious images and deploy them on a targeted host.

TrendMicro has seen over 150,000 pulls of images from the malicious Docker Hub accounts as part of this campaign.

Next, the dropped container executes cronjobs and fetches various post-exploitation and lateral movement tools, including container escaping scripts, credential stealers, and cryptocurrency miners.

When scanning for other vulnerable instances, the threat actors check ports 2375, 2376, 2377, 4243, 4244, which has been observed in past DDoS botnet campaigns.

The actors also attempt to collect server info such as the OS type, architecture, number of CPU cores, container registry, and the current swarm participation status.

The container image that is created is based on the AlpineOS system and is executed with flags that allow root-level permissions on the underlying host.

Similarities between old and past container samples
Similarities between old and past container image samples
Source: TrendMicro

Finally, the IP address that is used for TeamTNT’s current infrastructure (45[.]9[.]148[.]182) has been associated with multiple domains that served malware in the past.

Also Read: The 5 Important Things To Know In Security Pen Testing

Previous campaign laid the groundwork

TrendMicro reports that this campaign also uses compromised Docker Hub accounts controlled by TeamTNT to drop malicious Docker images.

Using compromised Docker Hub accounts makes the distribution points more reliable for the actors, as they are harder to map, report, and takedown.

The actors were spotted collecting Docker Hub credentials in a previous campaign analyzed by TrendMicro in July when credentials stealers were deployed in attacks.

“Our  July 2021 research into TeamTNT showed that the group previously used credential stealers that would rake in credentials from configuration files. This could be how TeamTNT gained the information it used for the compromised sites in this attack,” explains TrendMicro’s research published today.

As such, TeamTNT demonstrates a high level of operational planning, being organized and purposeful in their goals.

Permanent threat to Docker systems

TeamTNT is a sophisticated actor that constantly evolves its techniques, shifts short-term targeting focus but remains a constant threat to vulnerable Docker systems.

They first created a worm to exploit Docker and Kubernetes en masse back in August 2020.

In October 2020, the actors added Monero mining and credential-stealing capabilities, targeting Docker instances.

In January 2021, TeamTNT upgraded its miners with sophisticated detection evasion tricks while still harvesting user credentials from the compromised servers.

Docker provides some “mandatory” tips that can be used lock down Docker’s REST API and prevent these types of attacks.

“Therefore it is mandatory to secure API endpoints with HTTPS and certificates. It is also recommended to ensure that it is reachable only from a trusted network or VPN,” explains Docker’s security guide.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us