In the past, several prominent hacker groups have been observed using legitimate tools like operating system utilities to carry out their attacks. However, recently, a hacking group dubbed TeamTNT abused a legitimate third-party tool Weave Scope to target cloud infrastructure, for the first time.
Exploiting the tool of the trade
Researchers at Intezer discovered that the TeamTNT cybercriminal group used the Weave Scope tool to gain full visibility and take control of all assets in a victim’s cloud infrastructure.
• Using Weave Scope, the attackers could execute system commands without deploying malicious code on the victim’s server, essentially functioning as a genuine backdoor entry.
• The tool can enable attackers to gain full access to Docker, Kubernetes, the Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS), including all information and metadata about containers, processes, and hosts.
How does it work?
• The attacker uses an exposed Docker port to create a new privileged container with a clean Ubuntu image, which is configured to be mounted to the victim’s server.
• The attacker then tries to gain root access by setting up a local privileged user on the host server and leveraging that to install Weave Scope.
• Upon installation, the attackers can connect to the Weave Scope dashboard via HTTP on port 4040 to take control over the target infrastructure.
TeamTNT recent strikes
TeamTNT has been evolving with time and has been observed adopting new tactics in its recent attacks.
• In August, TeamTNT became the first group to add AWS-specific functionality to steal local credentials and scan the internet for misconfigured Docker platforms.
• First identified in May, the malicious cryptocurrency miner TeamTNT and DDoS bot had been targeting open Docker daemon ports.
Closing statement
TeamTNT has been mainly targeting Docker installations and other kinds of cloud infrastructure. Precise and correct configuration of cloud workloads and services can help users prevent many attacks. To mitigate the attacks, users are recommended to close exposed Docker API ports, block incoming connections to port 4040, and protect their Linux cloud servers and containers in runtime against unauthorized code.