Researchers Spot First Cloud Attack Abusing Legitimate Tool

A hacking group was observed employing a legitimate tool to gain visibility into and control of compromised cloud environments, threat detection and response company Intezer reported on Tuesday.

Referred to as TeamTNT, the group was previously seen employing a worm to target Docker and Kubernetes systems in order to search for and exfiltrate local credentials, including AWS login information. The hackers deploy cryptocurrency miners onto the affected machines.

In a recent attack, however, the adversary no longer deployed malware onto the compromised systems. Instead, Weave Scope was used to map the cloud environment and execute commands.

Weave Scope provides monitoring, visualization, and control capabilities for Docker and Kubernetes, Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS), as well as seamless integration with all of them.

The TeamTNT attacks, Intezer explains, usually start with malicious Docker images that are hosted on Docker Hub, but also involve the use of crypto-miners and malicious scripts. The new attack also revealed the abuse of the legitimate open source Weave Scope tool to take over the victim’s cloud infrastructure.

An exposed Docker API port is abused to create a new privileged container on which a clean Ubuntu image runs. The attackers configure the container so that its file system is mounted to that of the victim server, thus gaining access to the files on the server.

Next, the attackers instruct the container to download and run crypto-miners, after which they attempt to elevate privileges to root by setting a local privileged user ‘hilde’ on the host server and connecting through it via SSH.

At this point, Weave Scope is downloaded and installed, to control the victim’s cloud environment. The Weave Scope dashboard displays a visual map of the Docker infrastructure and allows the attackers to execute shell commands without installing malware.

“Not only is this scenario incredibly rare, to our knowledge this is the first time an attacker has downloaded legitimate software to use as an admin tool on the Linux operating system,” Intezer notes.

To stay protected, organizations are advised to close exposed Docker API ports (the attackers gain access through misconfigured Docker API) and block incoming connections to port 4040 (used to access the Weave Scope dashboard). They should also follow best practices when securing Docker environments, and install a security solution to protect Linux cloud servers and containers.

Employing the Zero Trust Execution (ZTE) policy for workloads should also prevent TeamTNT attacks, as it creates a baseline of workloads and monitors for and blocks any unauthorized code or applications from executing. Although a legitimate tool, Weave Scope would be flagged by ZTE for deviating from the trusted baseline.

Related: Crypto-Mining Worm Targets AWS Credentials

Related: XORDDoS, Kaiji DDoS Botnets Target Docker Servers

Related: Misconfigured Docker Registries Expose Thousands of Repositories

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:
Tags: