{ "name": "Docker Gatling Gun Campaign", "slug": "docker-gatling-gun-campaign", "description": "Recent research has uncovered a new malicious campaign orchestrated by the notorious hacking group TeamTNT. This campaign exploits exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, utilizing compromised servers and Docker Hub as infrastructure for spreading their malicious payloads. TeamTNT is leveraging native cloud capabilities by appending compromised Docker instances to a Docker Swarm and using Docker Hub to store and distribute their malware, aiming to rent out victim's computational resources to third parties for cryptomining operations.", "published": "2024-10-29T12:51:29+00:00", "created_at": "2024-10-29T12:51:29+00:00", "modified_at": "2024-10-29T12:57:19+00:00", "created_at_opencti": "2024-10-29T12:51:29+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-10-26", "2024-10-29", "campaign", "cloud-native", "container security", "cryptomining", "docker", "docker hub", "docker swarm", "exposed-daemons", "malicious", "prochider", "sliver", "tsunami" ], "related_entities": { "observables": [ { "id": "", "name": "95.182.101.23" }, { "id": "", "name": "45.154.2.77" }, { "id": "", "name": "devnull.anondns.net" }, { "id": "", "name": "teamtnt.red" }, { "id": "", "name": "solscan.store" }, { "id": "", "name": "solscan.online" }, { "id": "", "name": "solscan.one" }, { "id": "", "name": "solscan.life" }, { "id": "", "name": "5bb45f372fb4df6a9c6a5460fa1845f5e96af53aa41939eb251cbe989a5cac6c" }, { "id": "", "name": "43545f6cd370e6f200347bd9bbafdc3d94240775d816cd5e24dc8072d0f1c9b5" }, { "id": "", "name": "0af1b8cd042b6e2972c8ef43d98c0a0642047ec89493d315909629bcf185dffd" } ], "malware": [ { "id": "legacy:malware:6500e48e9cd9c319", "name": "prochider", "slug": "prochider" }, { "id": "legacy:malware:e7896b82b9fcccbb", "name": "Sliver", "slug": "sliver" } ], "intrusion_sets": [ { "id": "6ed40ebe-b98f-47d0-a728-89f5ed1627b8", "name": "TeamTNT", "slug": "teamtnt" } ], "attack_patterns": [ { "id": "2969e5a7-1049-4df8-b1ba-8a0675de6b94", "name": "T1589" }, { "id": "5c67e5d2-bc85-4ce0-822d-f2f5d3b0ae4e", "name": "T1185" }, { "id": "436e795b-553f-444e-b837-65818d8f539f", "name": "T1119" }, { "id": "5e7cb3d2-6a97-48b2-bdd2-f11eee10f6dc", "name": "T1137" }, { "id": "b7c6c1ad-f183-4128-8427-3891029c73dc", "name": "T1539" }, { "id": "1e043fe4-2413-4b8e-887c-0fe45d095a24", "name": "T1583" }, { "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2", "name": "T1567" }, { "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7", "name": "T1555" }, { "id": "8598a502-2b24-4c8a-8ec3-45179f49e5b7", "name": "T1199" }, { "id": "a7262c61-4567-4a00-8cec-aae6264234a9", "name": "T1218" }, { "id": "6d618903-d9f6-4747-aec2-7630f43c1908", "name": "T1496" }, { "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d", "name": "T1053" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ] }, "external_refs": [ "https://www.aquasec.com/blog/threat-alert-teamtnts-docker-gatling-gun-campaign/?utm_campaign=General+website&utm_medium=email&_hsenc=p2ANqtz-92AbUxDf890WmIltI9X2LhL0FpMu9OhPLNQDdxetpcr8SI9czknB4Dc_4xvXmgaLfujLJonLpOoavAi_VrNIvPqpT_HnHtUpkyemNm2rQ1rWKTnuY&_hsmi=330821549&utm_content=330821549&utm_source=hs_email", "https://otx.alienvault.com/pulse/6720e8610825425e5d5cee81" ] }