A Tale of Credential Leak of a Popular Cloud Threat Actor

Containers are something that developers live and breathe by, as it aids them in escaping dependency hell, optimizing their workflows, and increasing their productivity. But unfortunately, attackers have been known to abuse misconfigured container components like Docker daemon over REST API. They perform malicious actions such as creating new containers, compromising the underlying host to achieve unauthorized crypto mining, and even exfiltrating sensitive information like AWS API keys and other credentials stored in files. Sometimes, they even remotely control the victim servers to expand their botnet and a lot more.

One such famous and one of the first threat actors leveraging the Cloud and Container threat landscape for their benefits was TeamTNT, known to use a plethora of different techniques and tactics for carrying out various campaigns by using compromised DockerHub accounts for hosting container images with their arsenal consisting of crypto miners, kernel rootkits, container escape tools, network scanners, etc.

This talk presents real-world findings from our deployed container API honeypots. Additionally, we observed the threat actors leak credentials of the accounts they were using for their malicious operations, giving us a unique glimpse of how threat actors leveraged the features of container registries to maximize their gain from illegal activities.

We will walk through a brief overview of the container honeypot, what container registries are and under what circumstances the credential leak happens. Next, we shall threat model different scenarios under which the leak can be observed. Then, we’ll share evidence of threat actors going after credentials from files once they compromised misconfigured servers. Next, we’ll go through a video demo to show how the credential leak happens and what possibly happened with the threat actor in question. Finally, we will conclude with the findings that we gathered from the honeypot.