TeamTNT has added the legitimate Weave Scope software to its attack toolkit in the quest to infiltrate cloud environments.
TeamTNT has previously been linked to attacks against Docker and Kubernetes installations. Last month, the threat actors were connected to a cryptocurrency-mining botnet that is able to steal AWS credentials from servers. The group is also known to upload malicious Docker images to Docker Hub.
Microsoft says that malicious images spotted in mid-August were deployed from a repository not seen in past attacks. One Docker image, in particular, pause-amd64:3.3, connects to a server based in Germany that contains malicious scripts and additional tools used by the group.
The group's latest evolution, however, is the abuse of Weave Scope.
Weave Works' Weave Scope is open source visualization and monitoring software for Docker, Kubernetes, Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS), allowing users to watch running processes and network connections of containers in cloud environments via a dedicated interface. The software also permits administrators to run shells in clusters as root, and does not require authentication by default.
While a valuable and legitimate tool, TeamTNT is taking advantage of cloud service misconfiguration and open access granted via port 4040 to deploy the software as a form of backdoor.
"We see cluster administrators who enable public access to this interface, as well as other similar services," Microsoft says. "Attackers, including this group [TeamTNT], take advantage of this misconfiguration and use the public access to compromise Kubernetes clusters."
To install Weave Scope, TeamTNT will first attempt to find an exposed Docker API. If one is discovered, a new privilege container using a clean Ubuntu image is created, together with instructions to mount via the main file system and to both load and execute cryptocurrency miners.
The next stage of the attack chain involves setting up a local privileged user on the host server to connect back via SSH and install Weave Scope.
"The attackers install this tool in order to map the cloud environment of their victim and execute system commands without deploying malicious code on the server," the researchers say. "To our knowledge, this is the first time attackers have been caught using legitimate third-party software to target cloud infrastructure."
Essentially, this allows Weave Scope to act as a backdoor into cloud installations and grants attackers the ability to monitor systems, install applications, use compute resources, and start, stop, or open shells in containers.
TechRepublic: How SMBs are overcoming key challenges in cybersecurity
As TeamTNT takes advantage of common Docker misconfigurations leading to exposure via port 4040, researchers recommend that system administrators block incoming connections to this port, and potentially consider enabling zero-trust security practices to cloud infrastructure.
"Misconfigured services seem to be among the most popular and dangerous access vectors when it comes to attacks against Kubernetes clusters," Microsoft commented.
Update 16.38 BST: In response to the research, Weave Works has published an advisory on how administrators can prevent the tool from being abused.
Previous and related coverage
- Cloud security: 'Suspicious superhumans' behind rise in attacks on online services
- Majority of firms concerned about public cloud security, most have suffered breach
- DevSecOps report: Cloud IT complexity creates 'immutable' security issues
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0