Analyzing How TeamTNT Used Compromised Docker Hub Accounts<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/l\/more-tools-in-the-arsenal-how-teamtnt-used-compromised-docker-hu.html\"><br \/>\n<meta property=\"og:title\" content=\"Analyzing How TeamTNT Used Compromised Docker Hub Accounts\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/compromiseddocker-main.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Analyzing How TeamTNT Used Compromised Docker Hub Accounts\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/compromiseddocker-main.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.397580782554\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1718330776\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.2756598240469\">\n<div class=\"article-details\" role=\"heading\" readability=\"36.023460410557\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cloud<\/p>\n<p class=\"article-details__description\">Following our previous disclosure of compromised Docker hub accounts delivering cryptocurrency miners, we analyze these accounts and discover more malicious actions that you need to be aware of.<\/p>\n<p class=\"article-details__author-by\">By: Nitesh Surana <time class=\"article-details__date\">December 01, 2021<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"36.460130718954\">\n<div readability=\"20.149019607843\">\n<p>In early November, we disclosed that <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/k\/compromised-docker-hub-accounts-abused-for-cryptomining-linked-t.html\">compromised Docker Hub accounts<\/a> were being used for cryptocurrency mining and that these activities were tied to the TeamTNT threat actor. While those accounts have now been removed, we were still able to investigate TeamTNT\u2019s activities in connection with these compromised accounts.<\/p>\n<p>In addition to the behavior we noted earlier, we identified several other actions that the same threat actor carried out in different venues. One was the use of Weave Scope, a legitimate tool by Weaveworks used to monitor\/control deployed containers.<\/p>\n<p><b><span class=\"body-subhead-title\">Weave Scope<\/span><\/b>Weave Scope is a visualization and monitoring tool for Docker and Kubernetes. System administrators can use this to monitor and control their deployed containers\/pods\/workloads. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-01.png\" alt=\"Weave Scope window\"><figcaption>Figure 1. Weave Scope window<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>One can manage running containers by executing, rebooting, pausing, stopping or even deleting containers, all of which can be controlled from a web console (either local or in the cloud).<\/p>\n<p>In this attack scenario, the compromised underlying host was made a node of the threat actor-controlled Weave Scope Cloud instance, from where they could execute various commands.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-02.png\" alt=\"Terminal command executed via Weave Scope\"><figcaption>Figure 2. Terminal command executed via Weave Scope<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The administration features make Weave Scope an interesting target. This is how attackers targeted this recently:<\/p>\n<p><b>1.<\/b> The attacker spins up a new privileged container based on an image from a compromised account. In the arguments, the attacker attempts to mount the root file system of the underlying host to the \u2018\/host\u2019 mount point and executes a bash script fetched from the attacker\u2019s infrastructure.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-03.png\" alt=\"Code to spin up new container\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-04.png\" alt=\"Code to spin up new container\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-05.png\" alt=\"Code to spin up new container\"><figcaption>Figures 3-5. Code to spin up new container<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p><b>2. <\/b>The script \u2018scope2.sh\u2019 is downloaded and piped to \u2018bash\u2019 to be executed. The script initially checks if the hostname\u2019s value is \u2018HaXXoRsMoPPeD\u2019 halting the execution if true. This looks like a flag to check if a system has already been compromised. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-06.png\" alt=\"Script checking for hostname\"><figcaption>Figure 6. Script checking for hostname<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p><b>3.<\/b> Environment variables are set, which overrides localization settings, prevents command history logging, and exports a new path.<\/p>\n<p><b>4. <\/b>A variable \u2018SCOPE_TOKEN\u2019 is populated from a controlled endpoint, which contains the Weave Scope service token. \u2018SCOPESHFILE\u2019 contains the Weave Scope script, which is encoded in base64.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-07.png\" alt=\"Encoded script\"><figcaption>Figure 7. Encoded script<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"43\">\n<div readability=\"31\">\n<p><b>5. <\/b>The path to \u2018docker\u2019 binary is fetched using \u2018type docker\u2019. To evade any TTY events, they\u2019re redirected to \u2018\/dev\/null\u2019. Based on this, the execution proceeds.<\/p>\n<p><b>6. <\/b>The file \u2018\/tmp\/.ws\u2019 is checked:<\/p>\n<p>a. If the file doesn\u2019t exist, the following commands are executed:<\/p>\n<p>i. The \u2018\/tmp\/\u2019 path is remounted with read-write permissions using the \u2018mount\u2019 utility.<\/p>\n<p>ii. The base64 encoded string of the \u2018SCOPESHFILE\u2019 variable is decoded and the output is redirected to \u2018\/tmp\/.ws\u2019. This is the Weaveworks\u2019 script and is hidden by default since the file name begins with a \u2018.<\/p>\n<p>iii. The permissions of the newly created script are changed to executable using \u2018chmod\u2019<\/p>\n<p>b. If the file \u2018\/tmp\/.ws\u2019 exists, then execution proceeds as follows:<\/p>\n<p>i. The \u2018\/tmp\/\u2019 path is remounted as read-write using \u2018mount\u2019 utility.<\/p>\n<p>ii. The Weaveworks utility Weave Scope at \/tmp\/.ws is stopped and launched with the service token fetched on step 4.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-08.png\" alt=\"Stop and relaunch of Weave Scope utility\"><figcaption>Figure 8. Stop and relaunch of Weave Scope utility<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.415789473684\">\n<div readability=\"18.7\">\n<p>Weaveworks published a <a href=\"https:\/\/www.weave.works\/blog\/preventing-malicious-use-of-weave-scope\" target=\"_blank\" rel=\"noopener\">blog post<\/a> in September 2020 that shared best practices for securing Weave Scope. Unfortunately, the abuse of this legitimate tool is still quite prevalent.<\/p>\n<p><b>Trend Micro Solutions<\/b><\/p>\n<p><i>Cloud One Workload Security\u2122<\/i><\/p>\n<p>When a new container is created over Docker daemon\u2019s REST API, the rule \u20181010326 \u2013 Identified Docker Daemon Remote API Call\u2019 triggers with different notes for different steps of the container creation from image.<\/p>\n<p>Events are generated when the ‘containerd\u2019 process is created and are logged using the Integrity Monitoring module:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-09.png\" alt=\"Alert for containerd process\"><figcaption>Figure 9: Alert for containerd process<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>When the Docker Daemon is observed listening on TCP port, the Log Inspection module detects this as seen below:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-10.png\" alt=\"Results of Log Inspection module\"><figcaption>Figure 10. Results of Log Inspection module<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>The AntiMalware Module detects the malicious script \u2018scope2.sh\u2019 as a Trojan:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-11.png\" alt=\"Detection of malicious script\"><figcaption>Figure 11. Detection of malicious script<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Intrusion Prevention<\/p>\n<ol>\n<li>1010326 – Identified Docker Daemon Remote API Call<\/li>\n<li>1010561 – Identified Kubernetes Unprotected Primary Channel Information Disclosure<\/li>\n<li>1010762 – Identified Kubernetes API Server LoadBalancer Status Patch Request<\/li>\n<li>1010769 – Identified Kubernetes Namespace API Requests<\/li>\n<li>1009493 – Kubernetes Dashboard Authentication Bypass Information Disclosure Vulnerability (CVE-2018-18264)<\/li>\n<li>1009450 – Kubernetes API Proxy Request Handling Privilege Escalation Vulnerability (CVE-2018-1002105)<\/li>\n<li>1009561 – Kubernetes API Server Denial of Service Vulnerability (CVE-2019-1002100)<\/li>\n<\/ol>\n<p>Log Inspection<\/p>\n<ol>\n<li>1009105 \u2013 Kubernetes<\/li>\n<li>1008619 – Application \u2013 Docker<\/li>\n<li>1010349 – Docker Daemon Remote API Calls<\/li>\n<\/ol>\n<p>Integrity Monitoring <\/p>\n<ol>\n<li>1008271 \u2013 Application – Docker<\/li>\n<li>1009060 – Application – Kubernetes Cluster master<\/li>\n<li>1009434 – Application – Kubernetes Cluster node<\/li>\n<\/ol>\n<p><i>Cloud One Network Security\u2122<\/i><\/p>\n<p>The following rules are triggered by this attack in Network Security:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">29993: HTTP: Docker Container With Root Directory Mounted with Write Permission Creation Attempt<\/span><\/li>\n<li><span class=\"rte-red-bullet\">33719: HTTP: Docker Daemon “create\/exec” API with “Cmd” Key Set to Execute Shell Commands<\/span><\/li>\n<li><span class=\"rte-red-bullet\">33905: HTTP: Kubernetes API Proxy Request Handling Privilege Escalation Vulnerability<\/span><\/li>\n<li><span class=\"rte-red-bullet\">34487: HTTP: Kubernetes Dashboard Authentication Bypass Vulnerability<\/span><\/li>\n<li><span class=\"rte-red-bullet\">34488: HTTPS: Kubernetes Dashboard Authentication Bypass Vulnerability<\/span><\/li>\n<li><span class=\"rte-red-bullet\">34668: HTTP: Docker Build Image API Request with remote and networkmode Parameters Set<\/span><\/li>\n<li><span class=\"rte-red-bullet\">34796: HTTP: Docker Version API Check Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">35799: HTTP: Kubernetes Overlength json-patch Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38836: HTTP: Kubernetes API Namespaces Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38837: HTTP: Kubernetes API Namespaces Status Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38838: HTTP: Kubernetes API Create Namespace Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38839: HTTP: Kubernetes API Delete Namespace Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38840: HTTP: Kubernetes API Update Namespace Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38847: HTTP: Kubernetes API Server loadBalancer Status Patch Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38892: HTTP: Kubernetes API Admission Control Create Mutating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38893: HTTP: Kubernetes API Admission Control Create Validating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38896: HTTP: Kubernetes API Admission Control Resources Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38898: HTTP: Kubernetes API Admission Control List Mutating Webhook Configurations Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38899: HTTP: Kubernetes API Admission Control List Validating Webhook Configurations Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38901: HTTP: Kubernetes API Admission Control Delete Validating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38902: HTTP: Kubernetes API Admission Control Delete Mutating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38903: HTTP: Kubernetes API Admission Control Update Validating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38904: HTTP: Kubernetes API Admission Control Update Mutating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38905: HTTP: Kubernetes API Admission Control Read Mutating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38906: HTTP: Kubernetes API Admission Control Read Validating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38907: HTTP: Kubernetes API Admission Control Replace Mutating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38908: HTTP: Kubernetes API Admission Control Replace Validating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38909: HTTP: Kubernetes API CustomResourceDefinition Resources Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38910: HTTP: Kubernetes API Create CustomResourceDefinition Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38916: HTTP: Kubernetes API List CustomResourceDefinition Resources Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38917: HTTP: Kubernetes API Update CustomResourceDefinition Resources Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38918: HTTP: Kubernetes API Update Status CustomResourceDefinition Resources Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38919: HTTP: Kubernetes API Read CustomResourceDefinition Resources Request<\/span><\/li>\n<\/ul>\n<p><i>Trend Micro Vision One\u2122<\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-12.png\" alt=\"Detection Model for Weave Scope abuse\"><figcaption>Figure 12. Detection Model for Weave Scope abuse<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>Since Weave Scope is a legitimate tool used in workloads, one can enable or disable the XDR Model from Detection Model Management by toggling the \u2018Status\u2019. If the tool is not supposed to be used in the environment and there are alerts as XDR Model triggers or Observed Attack Techniques, it must be checked.<\/p>\n<p><i>Workbench<\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-13.png\" alt=\"Workbench diagram\"><figcaption>Figure 13. Workbench diagram<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The diagram in Figure 13 demonstrates the power of correlation amongst different Cloud One\u2122 modules, composed into a single screen. The left panel shows the sequence of observed attack techniques with the events generated from Cloud One\u2122 modules, while the right panel details the various objects involved in this attempt. The corresponding MITRE ATT&CK tags help identify the parts of the framework being abused.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-14.png\" alt=\"Workbench diagram\"><figcaption>Figure 14. Workbench diagram<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>This Workbench shows all the workloads using the Impact Scope in the organization where the unencrypted Docker REST API is exposed and on which it\u2019s listening.<\/p>\n<p><i>Root Cause Analysis<\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-15.png\" alt=\"Root cause analysis diagrams\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-16.png\" alt=\"Root cause analysis diagrams\"><figcaption>Figure 15 and 16. Root cause analysis diagrams<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"43.721780604134\">\n<div readability=\"33.405405405405\">\n<p>In the RCAs generated from the Observed Attack Techniques, we can deep dive into the various fields of importance, such as the exact time at which the outbound connection was observed and the process lineage with the process command line. This shows that \u2018nsenter\u2019 is being executed from \u2018scope\u2019, it\u2019s being used to create a \u2018bash\u2019 shell, and the context is fetched from the PID 1 or \u2018init\u2019 process responsible for starting and shutting down the system.<\/p>\n<p><span class=\"body-subhead-title\">Escaping from a compromised container<\/span><\/p>\n<p>Based on our research, the attackers also used a well-known technique to escape from a compromised container to the host. They did this by using bind mounts and fetching the Docker Hub credentials from the following paths:<\/p>\n<ol>\n<li>\/root\/.docker\/config.json<\/li>\n<li>\/home\/*\/.docker\/config.json<\/li>\n<\/ol>\n<p>As per Docker\u2019s <a href=\"https:\/\/docs.docker.com\/engine\/reference\/commandline\/login\/\" target=\"_blank\" rel=\"noopener\">official documentation<\/a>:<\/p>\n<p>\u201cYou can log into any public or private repository for which you have credentials. When you log in, the command stores credentials in $HOME\/.docker\/config.json on Linux or %USERPROFILE%\/.docker\/config.json\u201d.<\/p>\n<p>When someone logs into their Docker Hub account using the Docker command line and there are no credential stores specified, the username, password and registry server link are populated as a JSON that looks like this:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-17.png\" alt=\"Code with Docker login\"><figcaption>Figure 17. Code with Docker login<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40\">\n<div readability=\"25\">\n<p>By default, the registry used is of Docker Inc. The value of \u2018auths.auth\u2019 field is the base64-encoded string that contains the credentials in the format \u2018username:password\u2019. If these credentials are compromised, one can gain access to the victims\u2019 information:<\/p>\n<ol>\n<li>Email ID used to create the account<\/li>\n<li>Private Images<\/li>\n<li>Access tokens<\/li>\n<li>Slack Webhooks<\/li>\n<li>Content Subscriptions<\/li>\n<li>Upgraded features<\/li>\n<\/ol>\n<p>Now we take a look into how the enumeration of exposed kubelets was performed.<\/p>\n<p><span class=\"body-subhead-title\">Enumeration Of Exposed Kubelets<\/span><\/p>\n<p>This attack abused the Docker REST API to create a container from an image that had a script at the filesystem path \u2018\/root\/init.sh\u2019, which contains the following:<\/p>\n<p><b>1. <\/b>They initially update the alpine-based container and add the packages they need in later operations, like compiling zgrab from source, using masscan, etc. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-18.png\" alt=\"Building zgrab\"><figcaption>Figure 18. Building zgrab<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p><b>2. <\/b>Once the above steps are executed, they begin the execution of their malicious function using a kill switch, which is based on the contents of a certain endpoint on the attacker\u2019s infrastructure to be equal to \u2018RUN\u2019.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-19.png\" alt=\"Executing malicious functions\"><figcaption>Figure 19. Executing malicious functions<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p><b>3.<\/b> Once the kill switch is confirmed to be equal to \u2018RUN\u2019, the malicious PWN function is executed.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-20.png\" alt=\"Checking for the kill switch\"><figcaption>Figure 20: Checking for the kill switch<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"44.241279069767\">\n<div readability=\"33.802325581395\">\n<p>This script fetches a scan range from a malicious server endpoint. If the results fetched contain \u2018ENDE\u2019, that signals the exit of the malicious script.<\/p>\n<p>The results returned by the endpoint is stored in the variable \u2018SCAN_RANGE\u2019, which is later appended to \u2018.0.0.0\/8\u2019. For example, if the value returned from the endpoint is 10, then the value of \u2018SCAN_RANGE\u2019 will be \u201810.0.0.0\/8\u2019<\/p>\n<p>The variable \u2018rndstr\u2019 is a six-letter random alphabetical string that accumulates a list of IP addresses of running pods with the kubelet API TCP port 10250 exposed that have been found using masscan and zgrab. Once this subnet is completed, the results are sent back to the threat actor using a <i>for <\/i>loop, which iterates over the results acquired via a website.<\/p>\n<p>Once the results are sent, the kill switch loop loops back for a new subnet from the infrastructure unless all the subnets are enumerated.<\/p>\n<p>The threat actor seems to do this as preparation to later target exposed kubelets. <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/k\/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html\">Earlier<\/a>, we detailed about the shift in focus from Docker REST API to Kubernetes API. Here\u2019s a trend of exposed Kubernetes API port 10250 indexed by Shodan from approximately 1,200 exposed workloads, months ago: <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/teamtnt-more-tools-21.jpg\" alt=\"Growth in exposed port 10250\"><figcaption>Figure 21. Growth in exposed port 10250<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p><b>Trend Micro Solutions<\/b><\/p>\n<p><i>Cloud One Workload Security\u2122<\/i><\/p>\n<p>Intrusion Prevention<\/p>\n<ol>\n<li>1010326 – Identified Docker Daemon Remote API Call<\/li>\n<li>1010561 – Identified Kubernetes Unprotected Primary Channel Information Disclosure<\/li>\n<li>1010762 – Identified Kubernetes API Server LoadBalancer Status Patch Request<\/li>\n<li>1010769 – Identified Kubernetes Namespace API Requests<\/li>\n<li>1009493 – Kubernetes Dashboard Authentication Bypass Information Disclosure Vulnerability (CVE-2018-18264)<\/li>\n<li>1009450 – Kubernetes API Proxy Request Handling Privilege Escalation Vulnerability (CVE-2018-1002105)<\/li>\n<li>1009561 – Kubernetes API Server Denial of Service Vulnerability (CVE-2019-1002100)<\/li>\n<\/ol>\n<p>Log Inspection<\/p>\n<ol>\n<li>1009105 \u2013 Kubernetes<\/li>\n<li>1008619 – Application \u2013 Docker<\/li>\n<li>1010349 – Docker Daemon Remote API Calls<\/li>\n<\/ol>\n<p>Integrity Monitoring<\/p>\n<ol>\n<li>1008271 \u2013 Application – Docker<\/li>\n<li>1009060 – Application – Kubernetes Cluster master<\/li>\n<li>1009434 – Application – Kubernetes Cluster node<\/li>\n<\/ol>\n<p>Cloud One Network Security\u2122C<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">29993: HTTP: Docker Container With Root Directory Mounted with Write Permission Creation Attempt<\/span><\/li>\n<li><span class=\"rte-red-bullet\">33719: HTTP: Docker Daemon “create\/exec” API with “Cmd” Key Set to Execute Shell Commands<\/span><\/li>\n<li><span class=\"rte-red-bullet\">33905: HTTP: Kubernetes API Proxy Request Handling Privilege Escalation Vulnerability<\/span><\/li>\n<li><span class=\"rte-red-bullet\">34487: HTTP: Kubernetes Dashboard Authentication Bypass Vulnerability<\/span><\/li>\n<li><span class=\"rte-red-bullet\">34488: HTTPS: Kubernetes Dashboard Authentication Bypass Vulnerability<\/span><\/li>\n<li><span class=\"rte-red-bullet\">34668: HTTP: Docker Build Image API Request with remote and networkmode Parameters Set<\/span><\/li>\n<li><span class=\"rte-red-bullet\">34796: HTTP: Docker Version API Check Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">35799: HTTP: Kubernetes Overlength json-patch Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38836: HTTP: Kubernetes API Namespaces Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38837: HTTP: Kubernetes API Namespaces Status Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38838: HTTP: Kubernetes API Create Namespace Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38839: HTTP: Kubernetes API Delete Namespace Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38840: HTTP: Kubernetes API Update Namespace Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38847: HTTP: Kubernetes API Server loadBalancer Status Patch Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38892: HTTP: Kubernetes API Admission Control Create Mutating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38893: HTTP: Kubernetes API Admission Control Create Validating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38896: HTTP: Kubernetes API Admission Control Resources Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38898: HTTP: Kubernetes API Admission Control List Mutating Webhook Configurations Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38899: HTTP: Kubernetes API Admission Control List Validating Webhook Configurations Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38901: HTTP: Kubernetes API Admission Control Delete Validating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38902: HTTP: Kubernetes API Admission Control Delete Mutating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38903: HTTP: Kubernetes API Admission Control Update Validating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38904: HTTP: Kubernetes API Admission Control Update Mutating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38905: HTTP: Kubernetes API Admission Control Read Mutating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38906: HTTP: Kubernetes API Admission Control Read Validating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38907: HTTP: Kubernetes API Admission Control Replace Mutating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38908: HTTP: Kubernetes API Admission Control Replace Validating Webhook Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38909: HTTP: Kubernetes API CustomResourceDefinition Resources Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38910: HTTP: Kubernetes API Create CustomResourceDefinition Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38916: HTTP: Kubernetes API List CustomResourceDefinition Resources Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38917: HTTP: Kubernetes API Update CustomResourceDefinition Resources Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38918: HTTP: Kubernetes API Update Status CustomResourceDefinition Resources Request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">38919: HTTP: Kubernetes API Read CustomResourceDefinition Resources Request<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.055087987758\">\n<div class=\"responsive-table-wrap\" readability=\"26.350420811018\">\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>Vulnerabilities posed by poor security misconfigurations or inherent software bugs are difficult to protect. In the above case, we observed the use of legitimate platforms like Weaveworks. To stay protected, we need to rethink about inculcating security in our daily work by regular patching, staying updated and alerted with the latest happenings in cyberspace.<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/hybrid-cloud\/cloud-one-workload-security.html\">Trend Micro\u2122 Cloud One\u2122 \u2013 Workload Security<\/a> equips defenders and analysts with the ability to protect systems against vulnerabilities, exploits, and malware, offering protection from on-premise to cloud workloads. Virtual patching can protect critical systems even before the official patches are made available.<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\">Trend Micro\u2122 Vision One\u2122<\/a> provides a clear view of the most important events as alerts in a concise manner, because the race is about quick response. With XDR capabilities with telemetries from your multi-cloud environments or on-premise workloads, security teams get a clear and vivid understanding of what to prioritize.<\/p>\n<p><span class=\"body-subhead-title\">Indicators Of Compromise<\/span><\/p>\n<p><i>IP address<\/i><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">45.9.148[.]182<\/span><\/li>\n<\/ul>\n<p><i>Domain<\/i><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">dl[.]chimaera.cc<\/span><\/li>\n<\/ul>\n<p><i>Shell scripts<\/i><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"3\">\n<tr>\n<td>Hash<\/td>\n<td>Detection Name<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>7c110dc507ed4e2694500c7c37fe9176e9f4db23bc4753c0bfc9f3479eb6385a<\/td>\n<td>Trojan.SH.MALXMR.UWELG<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>b7cef848b61cfb7d667e60ade3a1781def69f5395b5ad6a2a16f7b7fa11ef1db<\/td>\n<td>Trojan.Win32.FRS.VSNW0CK21<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/l\/more-tools-in-the-arsenal-how-teamtnt-used-compromised-docker-hu.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Following our previous disclosure of compromised Docker hub accounts delivering cryptocurrency miners, we analyze these accounts and discover more malicious actions that you need to be aware of. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":44215,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9520,9511,9509],"class_list":["post-44214","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cloud","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-research"],"yoast_head":"\n<title>Analyzing How TeamTNT Used Compromised Docker Hub Accounts 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Analyzing How TeamTNT Used Compromised Docker Hub Accounts 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-01T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/compromiseddocker-main.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Analyzing How TeamTNT Used Compromised Docker Hub Accounts\",\"datePublished\":\"2021-12-01T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\\\/\"},\"wordCount\":2435,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cloud\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\\\/\",\"name\":\"Analyzing How TeamTNT Used Compromised Docker Hub Accounts 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts.png\",\"datePublished\":\"2021-12-01T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts.png\",\"width\":557,\"height\":340},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Analyzing How TeamTNT Used Compromised Docker Hub Accounts\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Analyzing How TeamTNT Used Compromised Docker Hub Accounts 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/","og_locale":"en_US","og_type":"article","og_title":"Analyzing How TeamTNT Used Compromised Docker Hub Accounts 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-12-01T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/more-tools-in-the-arsenal\/compromiseddocker-main.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Analyzing How TeamTNT Used Compromised Docker Hub Accounts","datePublished":"2021-12-01T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/"},"wordCount":2435,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cloud","Trend Micro Research : Cyber Threats","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/","url":"https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/","name":"Analyzing How TeamTNT Used Compromised Docker Hub Accounts 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts.png","datePublished":"2021-12-01T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts.png","width":557,"height":340},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Analyzing How TeamTNT Used Compromised Docker Hub Accounts"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44214","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=44214"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44214\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/44215"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=44214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=44214"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=44214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":44214,"date":"2021-12-01T00:00:00","date_gmt":"2021-12-01T00:00:00","guid":{"rendered":"urn:uuid:793e0b07-8f81-8d81-fc6d-8c1059de513c"},"modified":"2021-12-01T00:00:00","modified_gmt":"2021-12-01T00:00:00","slug":"analyzing-how-teamtnt-used-compromised-docker-hub-accounts","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/analyzing-how-teamtnt-used-compromised-docker-hub-accounts\/","title":{"rendered":"Analyzing How TeamTNT Used Compromised Docker Hub Accounts"},"content":{"rendered":"