Walden Systems Geeks Corner News TeamTNT Uses Legitimate Cloud Monitoring Tools To Take Control of Cloud Instances Rutherford NJ New Jersey NYC New York City North Bergen County

TeamTNT Uses Legitimate Cloud Monitoring Tools To Take Control of Cloud Instances

Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

TeamTNT, a cybercrime group, is targeting cloud computing including Docker and Kubernetes.The group has been known to use several tools including crypto-miners and Amazon Web Services credential stealing worms in the past.TeamTNT has also been spotted using a malicious Docker image to infect other servers. In a recent attack observed by Intezer, TeamTNT is using Weave Scope, a trusted tool which gives the user full access to their cloud environment.The hackers installs tWeave Scope to map the cloud environment and execute system commands without deploying malicious code on the server.Weave Scope gives hackers full control over all full visibility and control over all the assets of the victim's cloud environment.

Hackers first find a misconfigured Docker API port. They use the exposed port port to create a new privileged container with a clean Linux container.The container is then configured to mount the file system of the to the filesystem of the victim server and gain access to all files on the server.The hackers then try to gain root access to the server by setting up a local privileged user on the host server and use it to connect back via SSH.

Next the attackers download and install Weave Scope.Once installed, the hackers can connect to the Weave Scope dashboard via HTTP on port 4040 and can see and control the victim's infrastructure.From the dashboard,the hackers can see a visual map of the Docker runtime cloud environment and give shell commands without needing to use any malicious backdoor code.

Correct configuration of cloud workloads and services can prevent many attacks which is why it's important to take the time and effort to check them. Weave Scope uses default port 4040 to make the dashboard accessible and anyone with access to the network can view the dashboard. Similar to the Docker API port, this port should be closed or restricted by the firewall.Use Intezer Protect community edition, which is free, to protect your Linux cloud servers and containers in runtime against unauthorized code.Apply Zero Trust Execution to workloads. ZTE creates a trusted baseline of your workloads and monitors for any new process or injected code. Any unauthorized code or applications that differ from the pre-approved baseline are blocked from running in cloud environments.