TeamTNT Gains Full Remote Takeover of Cloud Instances

remote takeover docker cloud security

Using a legitimate tool called Weave Scope, the cybercrime group is establishing fileless backdoors on targeted Docker and Kubernetes clusters.

The TeamTNT cybercrime gang is back, attacking Docker and Kubernetes cloud instances by abusing a legitimate cloud-monitoring tool called Weave Scope, according to researchers.

The open-source Weave Scope “provides a top down view into your app as well as your entire infrastructure, and allows you to diagnose any problems with your distributed containerized app, in real time, as it is being deployed to a cloud provider,” according to its website.

In other words, it’s a trusted tool that researchers at Intezer explained gives users full access to cloud environments. It can be integrated with Docker, Kubernetes, the Distributed Cloud Operating System (DC/OS) and Amazon Web Services Elastic Compute Cloud (ECS) – and it gives cybercriminals a perfect entree into a company’s cloud infrastructure.

Threatpost Webinar Promo Bug Bounty

Click to Register

“The attackers install this tool in order to map the cloud environment of their victim and execute system commands without deploying malicious code on the server,” explained Nicole Fishbein, a malware analyst at Intezer, in a posting on Tuesday. “When abused, Weave Scope gives the attacker full visibility and control over all assets in the victim’s cloud environment, essentially functioning as a backdoor.”

Attackers thus can gain access to all information about the victim’s server environment as well as the ability to control installed applications, making or breaking connections between cloud workloads, use of the memory and CPU, and “a list of existing containers with the ability to start, stop and open interactive shells in any of these containers,” according to the researcher.

Attack Scenario

Intezer has seen a spate of these types of attacks. As for how the abuse begins, attackers first locate an exposed, misconfigured Docker API port, Fishbein detailed – misconfigurations are the starting point for most attacks on the cloud. They then can use that port to create a new privileged container with a clean Ubuntu image.

“The container is configured to mount the file system of the container to the filesystem of the victim server, thus gaining the attackers access to all files on the server,” she explained. “The attackers then attempt to gain root access to the server by setting up a local privileged user named ‘hilde’ on the host server and use it in order to connect back via SSH.”

In the recently spotted spate of attacks, once “in,” the initial command given to the container is to download and execute several cryptominers. But next, the attackers download and install Weave Scope.

“As described in the installation guide in Weave Scope’s git, it takes only a few commands to complete installation of the tool,” Fishbein said. “Once installed, the attackers can connect to the Weave Scope dashboard via HTTP on port 4040 and gain full visibility and control over the victim’s infrastructure.”

Microsoft also observed the group’s latest activity employing Weave Scope, and found that the initial access point was actually Weave Scope itself being misconfigured and publicly exposed.

Microsoft researchers discovered a malicious TeamTNT image on several Azure Kubernetes Service (AKS) clusters (AKS is a managed Kubernetes service that allows customers to easily deploy a Kubernetes cluster in Azure). They then looked into how these images was able to deploy into the AKS environment.

“In such a scenario, it is less likely that Docker API service will be exposed to the internet, as the AKS nodes are configured with the proper configuration of the Docker server,” the firm said, in a Tuesday post. “Therefore, we could assume that the attackers had a different access vector in those incidents. When we looked for the common deployments of the various Kubernetes clusters that were infected by this image, we noticed that all of them have an open Weave Scope service.”

Information about the victim environment is presented via a browser-based dashboard that offers a visual map of the Docker runtime cloud environment. This dashboard can also be used to give shell commands – eliminating the need for TeamTNT to run code on the server itself.

The TeamTNT group specializes in attacking the cloud, usually with a malicious Docker image — and has proven itself to be innovative. Fishbein said that this latest set of infections appears to be the first time such a legitimate tool has been used in cloud attacks. TeamTNT also has been previously documented deploying unique and rare credential-stealing worms within AWS.

As with most cloud threats, proper configuration of cloud workloads and services so that they’re not exposed to the open internet can thwart these attacks. Thus, Fishbein recommends that companies close any exposed Docker API ports or at least restrict access via firewall policies and block incoming connections to port 4040, which is the default for Weave Scope to make the dashboard accessible.

“Since Weave Scope does not use any authentication by default, exposure of this service to the internet poses a severe security risk,” according to Microsoft. “And still, we see cluster administrators who enable public access to this interface, as well as other similar services. Attackers, including this group, take advantage of this misconfiguration and use the public access to compromise Kubernetes clusters.”

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Suggested articles