[German]Security vendor Trend Micro has published a report highlighting how threat actor TeamTNT is going about compromising Docker Hub accounts. This is a follow up article, after they wrote about compromised Docker hub account abused for crypto mining. If anyone is running Docker, you might want to take a look.
Advertising
In early November 2021, Trend Micro had a report about compromised Docker Hub accounts used for mining cryptocurrencies and that these activities were associated with the threat actor TeamTNT. Although these accounts have since been removed, Trend Micro security researchers were able to continue investigating TeamTNT's activities related to these compromised accounts.
In the above tweet, Trend Micro Research announces a follow-up post describing how the TeamTNT attackers proceeded to take over the accounts. The compromised host was made a node of the Weave Scope cloud instance controlled by the threat actors, from where the attackers could execute various commands.
