In recent attack, the hackers of the group TeamTNT relied on a legitimate tool to avoid the development of malware code in violated cloud infrastructure. In particular, they used an open source tool created to monitor and control cloud environments with Docker and Kubernetes installations, thus reducing their footprint to a compromised one server.
Analyzing the attack, the investigators of the cybersecurity company "Intezer" found that in addition to using malicious images Docker to infect victims ’servers, which was already known, TeamTNT has now been observed to use Weave Scope as an effective backdoor in the cloud networking infrastructure of its targets, according to the analysis of Intezer.
The Weave Scope developed by Weave Works, is a reliable tool that provides users with full access to their cloud environment, and is integrated into Docker, Kubernetes, Distributed Cloud Operating System (DC / OS) and the AWS Elastic Compute Cloud (ECS). However, hackers have taken advantage of this tool to map victim victims' environments and execute system commands without having to develop malicious code. This new tactic indicates the evolution of this gang.
According to Intezer security researcher Nicole Fishbein, this is the first time it has been revealed that hackers are abusing a legitimate third-party software to target a cloud infrastructure. In this way, the hackers had full visibility and control over the information contained in the victim's cloud environment, effectively acting as a backdoor. Fishbein also points out that by installing a legitimate tool like the Weave Scope, intruders reap all the benefits, as if they had installed a backdoor on a server, with significantly less effort and without the need to use malware.
To install the legitimate "Weave Scope" tool, hackers used an exposed Docker API port and created a new privileged container with a clear Ubuntu image. This container was then configured to attach the system container files in the victim's server file system and therefore provide attackers with access to all server files.
The original command, as observed by Intezer, was to download and execute many cryptominers. The hackers then attempted to gain root access to the server by creating a local privileged user on the host server, which they used to reconnect via Secure Shell (SSH). Then they downloaded and installed Weave Scope, which, once started, connected the hackers to the Weave Scope dashboard via HTTP on port 4040.
Intezer recommends that organizations close any exposed Docker API ports to prevent initial intrusion, as this attack exploits an incorrect Docker API configuration. All Docker API ports should therefore either be closed or contain restricted access policies firewall. Organizations should also block incoming connections to port 4040, as Weave Scope uses it as the default to make the dashboard accessible.