{"id":43852,"date":"2021-11-09T00:00:00","date_gmt":"2021-11-09T00:00:00","guid":{"rendered":"urn:uuid:ef0033ea-b3f3-7c7e-285d-365adffeaaff"},"modified":"2021-11-09T00:00:00","modified_gmt":"2021-11-09T00:00:00","slug":"compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/","title":{"rendered":"Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/dockerteamtnt-main.jpg\"><!-- Begin mPulse library --><!-- END mPulse library --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"cloud,research,articles, news, reports,cyber threats\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2021-11-09\"> <meta property=\"article:tag\" content=\"cloud\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-t.html\"> <title>Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-t.html\"><br \/>\n<meta property=\"og:title\" content=\"Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/dockerteamtnt-main.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/dockerteamtnt-main.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.451081359423\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"639361906\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.2795389048991\">\n<div class=\"article-details\" role=\"heading\" readability=\"36.040345821326\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cloud<\/p>\n<p class=\"article-details__description\">In October 2021, we observed threat actors targeting poorly configured servers with exposed Docker REST APIs by spinning up containers from images that execute malicious scripts.<\/p>\n<p class=\"article-details__author-by\">By: Trend Micro Research <time class=\"article-details__date\">November 09, 2021<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>As a part of our threat research, we closely monitor actively exploited vulnerabilities and misconfigurations. One such frequently abused misconfiguration is that of exposed Docker REST APIs.<\/p>\n<p>In October 2021, we observed threat actors targeting poorly configured servers with exposed Docker REST APIs by spinning up containers from images that execute malicious scripts that do the following:<\/p>\n<ol>\n<li>Download or bundle Monero cryptocurrency coin miners<\/li>\n<li>Perform container-to-host escape using well-known techniques<\/li>\n<li>Perform internet-wide scans for exposed ports from compromised containers<\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/fig1-dockertnt.png\" alt=\"Behavior of attacks targeting vulnerable Docker servers\"><figcaption>Figure 1. Behavior of attacks targeting vulnerable Docker servers<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>We identified Docker Hub registry accounts that were either compromised or belong to TeamTNT. These accounts were being used to host malicious images and were an active part of botnets and malware campaigns that abused the Docker REST API. We have reached out to Docker and the accounts in question have been removed.<\/p>\n<p>In this blog, we discuss two such accounts that are being used to spread cryptocurrency miners by abusing the Docker REST API.<\/p>\n<p><span class=\"body-subhead-title\">Malicious script found in Docker images<\/span><b><\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/fig2-dockertnt.png\" alt=\"Contents of Docker images\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/fig3-dockertnt.png\" alt=\"Contents of Docker images\"><figcaption>Figures 2 and 3. Contents of Docker images<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The images contain a malicious script named \u201cpause\u201d which is run when a new container is spawned.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/fig4-dockertnt.png\" alt=\"Contents of source code\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/fig5-dockertnt.png\" alt=\"Contents of source code\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/fig6-dockertnt.png\" alt=\"Contents of source code\"><figcaption>Figures 4-6. Contents of source code<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>INIT_MAIN calls the SETUP_APPS function, which updates and adds the tools that are used in the subsequent procedures in adversarial ways.<\/p>\n<p>INIT_MAIN creates an infinite loop and sends a GET request to http:\/\/teamtnt[.]red\/RangeDA.php. It also receives a numeric response, which is later used in the \u201cpwn\u201d function as a supplied argument. If the curl attempt fails, a random number between 1 and 255 is generated and assigned to $RANGE variable.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/fig7-dockertnt.png\" alt=\"Code of pwn function\"><figcaption>Figure 7. Code of pwn function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41.251124437781\">\n<div readability=\"27.832083958021\">\n<p>\u201cpwn\u201d is a wrapper around masscan and scans for ports 2375, 2376, 2377, 4243, 4244, similar to our previously reported distributed denial-of-service (DDoS) botnet artifacts in <a href=\"https:\/\/www.trendmicro.com\/vinfo\/id\/security\/news\/cybercrime-and-digital-threats\/coinminer-ddos-bot-attack-docker-daemon-ports\">2020<\/a>. However, in this case another function (CHECK_INTER_SERVER) is called, supplying the IP addresses and port values.<\/p>\n<p>CHECK_INTER_SERVER first checks if the operating system of the remote IP address contains \u201clinux\u201d by requesting the \u201cinfo\u201d of the exposed Docker REST API server. Using this command, one can find out various metadata about the server, such as the number of paused running and stopped containers, supported runtimes, server version, architecture, and others.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/fig8-dockertnt.png\" alt=\"CHECK_INTER_SERVER function\"><figcaption>Figure 8. CHECK_INTER_SERVER function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>We observed that the code looks into the following properties to set flags and identify if the server that is currently being scanned is a Docker swarm manager:<\/p>\n<ol>\n<li>OSType: Describes the operating system of server<\/li>\n<li>Repository: Container Registry that is set for use<\/li>\n<li>Architecture: Architecture of server<\/li>\n<li>Swarm: Current swarm participation status<\/li>\n<li>CPUs: Number of CPU cores of server<\/li>\n<\/ol>\n<p>To gain more details about the misconfigured server such as uptime and total memory available, the threat actors also spin up containers using docker-cli by doing the following:<\/p>\n<ol>\n<li>Setting the \u201c&#8211;privileged\u201d flag<\/li>\n<li>Using the network namespace of the underlying host \u201c&#8211;net=host\u201d<\/li>\n<li>Mounting the underlying hosts\u2019 root file system at container path \u201c\/host\u201d<\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/fig9-dockertnt.png\" alt=\"Code for spinning up containers\"><figcaption>Figure 9. Code for spinning up containers<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>Immediately after this, the script spawns a new container by using \u201c&#8211;privileged\u201d flag, mounting the host root file system, and sharing the hosts\u2019 network namespace from the image \u201calpineos\/dockerapi,\u201d which has over 10K+ pulls from Docker Hub as of November 09, 2021.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/fig10-dockertnt.png\" alt=\"Spawning of new container\"><figcaption>Figure 10. Spawning of new container<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>After this is done, there is another attempt to spawn a new container on the same server but with a different motive.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/fig11-dockertnt.png\" alt=\"Spawning a container, with base64-encoded string\"><figcaption>Figure 11. Spawning a container, with base64-encoded string<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>This container is created from an official image of the \u201calpine\u201d operating system and executed with flags that allow root-level permissions on the underlying host, except for the fact that a base64-encoded string is piped to \u201cbash\u201d after being decoded.<\/p>\n<p>Here is the encoded string after decoding:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/fig12-dockertnt.png\" alt=\"Decoded string\"><figcaption>Figure 12. Decoded string<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>A new Secure Shell (SSH) key pair is created and the attributes of the folders are changed with the immutable bit. TeamTNT\u2019s public key is appended to \/root\/.ssh\/authorized_keys so that the threat actors can now login using the generated public-private key pair. Later, the public key is removed.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/fig13-dockertnt.png\" alt=\"TeamTNT-related encryption key\"><figcaption>Figure 13. TeamTNT-related encryption key<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>Monero miner scripts are downloaded from TeamTNT\u2019s server and piped to \u201cbash\u201d using a SSH session on the underlying host as the \u201croot\u201d user by supplying the private key from \u201c\/tmp\/TeamTNT.\u201d Later, the private key \u201c\/tmp\/TeamTNT\u201d is removed as well.<\/p>\n<p>We take a quick look at the history of the images {Redacted account} (left) and \u201calpineos\/docker2api\u201d (right). Here we can see the commands that will be executed when a container is created from these images. It is also important to note the \u201cpause\u201d script.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/fig14-dockertnt.png\" alt=\"Docker image code\"><figcaption>Figure 14. Docker image code<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Upon diffing the \u201cpause\u201d scripts from both the images, we see some incredible similarities in the code, with a few differences:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/fig15a-dockertnt.png\" alt=\"The \u201cpause\u201d scripts from images\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/fig15-dockertnt.png\" alt=\"The \u201cpause\u201d scripts from images\"><figcaption>Figure 15. The \u201cpause\u201d scripts from images<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"44.576071596797\">\n<div class=\"responsive-table-wrap\" readability=\"34.67027790862\">\n<p>In particular, there is a difference in the way masscan is being used. There are also a few commented sections, indicating that the threat actors were moving ahead, testing their tools and arsenal.<\/p>\n<p>Notably, the IP address 45[.]9[.]148[.]182 has a history of being associated with TeamTNT\u2019s infrastructure, as it has been used by multiple domains:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">dl.chimaera[.]cc<\/span><\/li>\n<li><span class=\"rte-red-bullet\">githb[.]net (inactive)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">github-support[.]com (inactive)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">irc.borg[.]wtf<\/span><\/li>\n<li><span class=\"rte-red-bullet\">irc.chimaera[.]cc<\/span><\/li>\n<li><span class=\"rte-red-bullet\">irc.teamtnt[.]red<\/span><\/li>\n<\/ul>\n<p>Our <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/news\/cybercrime-and-digital-threats\/teamtnt-activities-probed\">&nbsp;July 2021 research<\/a> into TeamTNT showed that the group previously used credential stealers that would rake in credentials from configuration files. This could be how TeamTNT gained the information it used for the compromised sites in this attack.<\/p>\n<p>Based on the scripts being executed and the tooling being used to deliver coinminers, we arrive at the following conclusions connecting this attack to TeamTNT:<\/p>\n<ol>\n<li>\u201calpineos\u201d (with a total of more than 150,000 pulls with all images combined) is one of the primary Docker Hub accounts being actively used by TeamTNT<\/li>\n<li>There are compromised Docker Hub accounts that are being controlled by TeamTNT to spread coinmining malware.<\/li>\n<\/ol>\n<p>We have already reached out to Docker, and the accounts inolved in this attack have been removed.. In an upcoming blog, we will take a look into the attack techniques being used by the threat actor.<\/p>\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>Exposed Docker APIs have become prevalent targets for attackers as these allow them to execute their own malicious code with root privileges on a targeted host if security considerations are not accounted for. This recent attack only highlights the increasing sophistication with which exposed servers are targeted, especially by capable threat actors like TeamTNT that use compromised user credentials to fulfill their malicious motives.<\/p>\n<p><span class=\"body-subhead-title\">Indicators of Compromise<\/span><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"3\">\n<tr>\n<td><b>Type<\/b><\/td>\n<td><b>Identifier\/Hash<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Shell script<\/td>\n<td>79ed63686c8c46ea8219d67924aa858344d8b9ea191bf821d26b5ae653e555d9<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Shell script<\/td>\n<td>497c5535cdc283079363b43b4a380aefea9deb1d0b372472499fcdcc58c53fef<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Shell script<\/td>\n<td>a68cbfa56e04eaf75c9c8177e81a68282b0729f7c0babc826db7b46176bdf222<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>teamtnt[.]red<\/td>\n<\/tr>\n<tr>\n<td>IP address<\/td>\n<td>45.9[.]148.182<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-t.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In October 2021, we observed threat actors targeting poorly configured servers with exposed Docker REST APIs by spinning up containers from images that execute malicious scripts. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":43853,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9520,9511,9509],"class_list":["post-43852","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cloud","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-09T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1602\" \/>\n\t<meta property=\"og:image:height\" content=\"1063\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT\",\"datePublished\":\"2021-11-09T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\\\/\"},\"wordCount\":1202,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cloud\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\\\/\",\"name\":\"Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt.png\",\"datePublished\":\"2021-11-09T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt.png\",\"width\":1602,\"height\":1063},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/","og_locale":"en_US","og_type":"article","og_title":"Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-11-09T00:00:00+00:00","og_image":[{"width":1602,"height":1063,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT","datePublished":"2021-11-09T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/"},"wordCount":1202,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cloud","Trend Micro Research : Cyber Threats","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/","url":"https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/","name":"Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt.png","datePublished":"2021-11-09T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt.png","width":1602,"height":1063},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-to-teamtnt\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/43852","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=43852"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/43852\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/43853"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=43852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=43852"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=43852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}