TeamTNT Uses Legitimate Cloud Monitoring Tools To Take Control of Cloud Instances
TeamTNT, a cybercrime group, is targeting cloud computing including Docker and Kubernetes.The group has been known to use several tools including crypto-miners and Amazon Web Services credential stealing worms in the past.TeamTNT has also been spotted using a malicious Docker image to infect other servers. In a recent attack observed by Intezer, TeamTNT is using Weave Scope, a trusted tool which gives the user full access to their cloud environment.The hackers installs tWeave Scope to map the cloud environment and execute system commands without deploying malicious code on the server.Weave Scope gives hackers full control over all full visibility and control over all the assets of the victim's cloud environment.
Hackers first find a misconfigured Docker API port. They use the exposed port port to create a new privileged container with a clean Linux container.The container is then configured to mount the file system of the to the filesystem of the victim server and gain access to all files on the server.The hackers then try to gain root access to the server by setting up a local privileged user on the host server and use it to connect back via SSH.
Next the attackers download and install Weave Scope.Once installed, the hackers can connect to the Weave Scope dashboard via HTTP on port 4040 and can see and control the victim's infrastructure.From the dashboard,the hackers can see a visual map of the Docker runtime cloud environment and give shell commands without needing to use any malicious backdoor code.
Correct configuration of cloud workloads and services can prevent many attacks which is why it's important to take the time and effort to check them. Weave Scope uses default port 4040 to make the dashboard accessible and anyone with access to the network can view the dashboard. Similar to the Docker API port, this port should be closed or restricted by the firewall.Use Intezer Protect community edition, which is free, to protect your Linux cloud servers and containers in runtime against unauthorized code.Apply Zero Trust Execution to workloads. ZTE creates a trusted baseline of your workloads and monitors for any new process or injected code. Any unauthorized code or applications that differ from the pre-approved baseline are blocked from running in cloud environments.