Friday, October 23, 03:33
Home security Hackers attack through a legitimate cloud tracking tool!

Hackers attack through a legitimate cloud tracking tool!

In recent attack, the hackers of the group TeamTNT relied on a legitimate tool to avoid the development of malware code in violated cloud infrastructure. In particular, they used an open source tool created to monitor and control cloud environments with Docker and Kubernetes installations, thus reducing their footprint to a compromised one server.

Analyzing the attack, the investigators of the cybersecurity company "Intezer" found that in addition to using malicious images Docker to infect victims ’servers, which was already known, TeamTNT has now been observed to use Weave Scope as an effective backdoor in the cloud networking infrastructure of its targets, according to the analysis of Intezer.

hackers exploit legitimate cloud tracking tool

The Weave Scope developed by Weave Works, is a reliable tool that provides users with full access to their cloud environment, and is integrated into Docker, Kubernetes, Distributed Cloud Operating System (DC / OS) and the AWS Elastic Compute Cloud (ECS). However, hackers have taken advantage of this tool to map victim victims' environments and execute system commands without having to develop malicious code. This new tactic indicates the evolution of this gang.

According to Intezer security researcher Nicole Fishbein, this is the first time it has been revealed that hackers are abusing a legitimate third-party software to target a cloud infrastructure. In this way, the hackers had full visibility and control over the information contained in the victim's cloud environment, effectively acting as a backdoor. Fishbein also points out that by installing a legitimate tool like the Weave Scope, intruders reap all the benefits, as if they had installed a backdoor on a server, with significantly less effort and without the need to use malware.

hackers-attacks with cloud tracking tool

To install the legitimate "Weave Scope" tool, hackers used an exposed Docker API port and created a new privileged container with a clear Ubuntu image. This container was then configured to attach the system container files in the victim's server file system and therefore provide attackers with access to all server files.

The original command, as observed by Intezer, was to download and execute many cryptominers. The hackers then attempted to gain root access to the server by creating a local privileged user on the host server, which they used to reconnect via Secure Shell (SSH). Then they downloaded and installed Weave Scope, which, once started, connected the hackers to the Weave Scope dashboard via HTTP on port 4040.

Intezer recommends that organizations close any exposed Docker API ports to prevent initial intrusion, as this attack exploits an incorrect Docker API configuration. All Docker API ports should therefore either be closed or contain restricted access policies firewall. Organizations should also block incoming connections to port 4040, as Weave Scope uses it as the default to make the dashboard accessible.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


How to remove Edge tabs from Alt + Tab in Windows 10

Starting with the October 2020 update, Windows 10 now displays Microsoft Edge browser tabs in the Alt + Tab task ...

Patient information is held for ransom by hackers

A company offering psychological support and psychotherapy services to thousands of patients in Finland has fallen victim to hackers. As the company stated, ...

ESafety believes that social media authentication would not be practical

Australian eSafety Commissioner Julie Inman-Grant has dismissed the practice of verifying users' identities on social media.

First beta version of the "1Password" application for Linux

One and a half months after the first rumors about the release of the 1Password application for the Linux desktop, the co-founder of Dave Teare announced now ...

The price of Bitcoin skyrockets after PayPal adds cryptocurrency

The price of Bitcoin reached a very high record on Wednesday, after the announcement of PayPal for the integration of cryptocurrency in the online ...

Dr Reddy is closing its laboratories worldwide following a data breach

The pharmaceutical company Dr Reddy 's Laboratories (DRL) was forced to close its laboratories worldwide, after a data breach that ...

PayPal lets users use cryptocurrency

PayPal on Wednesday announced a new feature that will allow users to buy, store and sell cryptocurrency.

Activists are developing face recognition technology to reveal the identities of police officers

In early September, Portland, Oregon City Council held a virtual meeting to consider legislation that ...

Tesla share rises almost 5%

Tesla's Elon Musk released the results for the third quarter of 2020 on Wednesday. The share rose almost 5% on ...

Account Takeover Attacks: How to Avoid Them?

Account Takeover (ATO) attacks are a form of theft, often used by criminals. The attackers are trying to break into accounts ...