Security researchers observed a group of attackers using a monitoring tool to gain visibility over their victims’ cloud infrastructure.
At the beginning of September, Intezer revealed that it had witnessed the TeamTNT digital threat group abusing the cloud monitoring tool Weave Scope to achieve full visibility over and control of their victims’ cloud environments.
The attack began when TeamTNT created a privileged container that enabled its members to access all the files stored on their victim’s file server.
After commanding the container to download and execute multiple cryptominers, TeamTNT attempted to establish persistence on the compromised computer before downloading and installing Weave Scope.
Developed by Weave Works, Weave Scope is an open-source tool that integrates with organizations’ Docker and Kubernetes deployments, among other cloud environments. It enables users to obtain metadata and other information about their cloud-based resources. They can then view all of that data via a dashboard that’s accessible through a browser.
Intezer didn’t mince its words in describing how digital attackers could potentially abuse Weave Scope for malicious purposes:
Weave Scope is a powerful utility, giving the attackers access to all information about the victim’s server environment with the ability to control them including: installed applications, connection between the cloud workloads, use of the memory and CPU, and a list of existing containers with the ability to start, stop, and open interactive shells in any of these containers. By installing a legitimate tool such as Weave Scope the attackers reap all the benefits as if they had installed a backdoor on the server, with significantly less effort and without needing to use malware.
Upon installing Weave Scope, TeamTNT attempted to connect to the tool. Success in this effort enabled the threat group to assume control of their victim’s Docker runtime cloud environment. The attackers thereby gained the ability to issue malicious commands within that environment—all without deploying a backdoor.
Some background on TeamTNT?
The campaign analyzed above was the first time that a legitimate software functioned as an admin tool in an attack against a Linux machine, noted Intezer.
It wasn’t the first time in which TeamTNT made headlines, however.
Less than a month before Intezer’s report, Cado Security wrote that it had seen the threat group stage an operation to compromise multiple Docker and Kubernetes systems.
The campaign’s cryptoming worm began by stealing and exfiltrating credentials for Amazon Web Services (AWS). Next, the worm scanned for opportunities to spread laterally within a targeted organization’s Docker environment. This laid the groundwork for the worm to deploy the cryptominer, among other malware, on the victim’s compromised systems.
How to defend against TeamTNT’s ongoing malicious activity
Organizations can defend themselves against TeamTNT’s attacks by reviewing their Docker configurations. They should specifically look to close exposed Docker API ports and thereby prevent malicious actors from using them to gain full control over their cloud environments. They should also use Intezer’s findings to close the port that malicious actors could use to gain access to Weave Scope’s dashboard.
Organizations shouldn’t let their security efforts end there. It’s also important that they realize that malicious actors can abuse vulnerabilities in Docker, Kubernetes and other cloud environments to gain access to their cloud-based assets and steal their sensitive data. That’s why it’s important for them to review new features and to deploy updates in their infrastructure on a timely basis.
About the Author: David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence, Tripwire's The State of Security Blog, and a contributing writer to Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.