Friday, January 15, 13:12
Home security Hackers attack through a legitimate cloud tracking tool!

Hackers attack through a legitimate cloud tracking tool!

In recent attack, the hackers of the group TeamTNT relied on a legitimate tool to avoid the development of malware code in violated cloud infrastructure. In particular, they used an open source tool created to monitor and control cloud environments with Docker and Kubernetes installations, thus reducing their footprint to a compromised one server.

Analyzing the attack, the investigators of the cybersecurity company "Intezer" found that in addition to using malicious images Docker to infect victims ’servers, which was already known, TeamTNT has now been observed to use Weave Scope as an effective backdoor in the cloud networking infrastructure of its targets, according to the analysis of Intezer.

hackers exploit legitimate cloud tracking tool

The Weave Scope developed by Weave Works, is a reliable tool that provides users with full access to their cloud environment, and is integrated into Docker, Kubernetes, Distributed Cloud Operating System (DC / OS) and the AWS Elastic Compute Cloud (ECS). However, hackers have taken advantage of this tool to map victim victims' environments and execute system commands without having to develop malicious code. This new tactic indicates the evolution of this gang.

According to Intezer security researcher Nicole Fishbein, this is the first time it has been revealed that hackers are abusing a legitimate third-party software to target a cloud infrastructure. In this way, the hackers had full visibility and control over the information contained in the victim's cloud environment, effectively acting as a backdoor. Fishbein also points out that by installing a legitimate tool like the Weave Scope, intruders reap all the benefits, as if they had installed a backdoor on a server, with significantly less effort and without the need to use malware.

hackers-attacks with cloud tracking tool

To install the legitimate "Weave Scope" tool, hackers used an exposed Docker API port and created a new privileged container with a clear Ubuntu image. This container was then configured to attach the system container files in the victim's server file system and therefore provide attackers with access to all server files.

The original command, as observed by Intezer, was to download and execute many cryptominers. The hackers then tried to gain root access to the server by creating a local privileged user on the host server, which they used to reconnect via Secure Shell (SSH). Then they downloaded and installed Weave Scope, which, once started, connected the hackers to the Weave Scope dashboard via HTTP on port 4040.

Intezer recommends that organizations close any exposed Docker API ports to prevent initial intrusion, as this attack exploits an incorrect Docker API configuration. All Docker API ports should therefore either be closed or contain restricted access policies firewall. Organizations should also block incoming connections to port 4040, as Weave Scope uses it as the default to make the dashboard accessible.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


Classiscam: Fraudsters "fake" brands and deceive users of European markets!

Dozens of criminal gangs publish fake ads in popular online markets, to attract unsuspecting users to "fraudulent" commercial sites or phishing ...

iOS 14.4: Displays a notification for repairs with non-genuine cameras

Starting with the iPhone 11, Apple has added a notification to iOS that tells the user when the device has a ...

Facebook: Sues Chrome extensions developers for data theft

Facebook has filed a lawsuit against two Portuguese nationals for developing Chrome extensions that collected data from Facebook users.

Cisco does not fix 74 bugs in RV routers that have reached their EOL

Cisco said yesterday that it will not release firmware updates to fix 74 vulnerabilities that have been reported in ...

Hacker commits new crimes while waiting for his release!

A Kosovo hacker was pardoned after his conviction. The hacker provided personally identifiable information over 1.000 ...

Nintendo rules out Game & Watch video hacking

Two copyright claims against a YouTuber have been filed by Nintendo, for a video showing hacking of Super Mario ...

The number of reported CVEs increased by 6%!

According to a new analysis released on the level and volume of vulnerabilities in 2020, the total number of CVEs ...

Google: Removed 164 apps that featured out-of-context ads

Google removed 164 Android applications from the official Play Store, after security researchers discovered that the specific apps were bombarding them ...

Britain: Loss of 150.000 police records from a database

Some 150.000 police records have been deleted from its database as a result of a technical problem, according to the British government.