The threat detection and response firm Intezer has observed a hacking group using the Weave Scope visualization and monitoring tool to gain visibility into and take control of compromised Docker and Kubernetes cloud environments.
The hacking group, referred to as TeamTNT by Intezer, is known to target Docker and Kubernetes systems and has been observed using a credential-stealing worm to discover and exfiltrate AWS login credentials. The group then deploys cryptocurrency miners on the compromised machines.
TeamTNT has now changed its tactics, techniques, and procedures and has been observed installing Weave Scope and uses it to map cloud environments and execute commands.
Weave Scope is a popular tool for providing visibility into cloud environments and is used by many businesses for monitoring and control of Docker, Kubernetes, AWS Elastic Compute Cloud (ECS) and Distributed Cloud Operating System (DC/OS) environments.
Weave Scope is an extremely useful tool for TeamTNT, as it functions as a backdoor into cloud environments, giving the hackers full control over the victim’s cloud infrastructure. Through the Weave Scope user interface, which is accessed through a browser, the attackers have access to all information and metadata about containers, processes, and hosts.
Initial access is usually gained via malicious Docker images hosted on Docker hub. In the latest attacks, the attackers exploit an exposed Docker API port to create a privileged container that runs a clean Ubuntu image. The container is configured with its file system mounted on the victim server, giving the attacker access to the files on that server.
The container is then instructed to download and execute cryptocurrency miners. The attackers then elevate privileges to root and create a local privileged user called hilde on the host server, which connects through SSH.
TeamTNT then downloads and installs Weave Scope, accesses the dashboard via HTTP on port 4040, and through that gains full control of the cloud environment, allowing them to execute shell commands without having to install malware.
Intezer says this is the first known case of hackers using legitimate software as an admin tool on the Linux operating system.
There are steps businesses can take to prevent such an attack. Cloud workloads and services need to be carefully configured and controlled. It is essential to close exposed Docker API ports or restricted access in the firewall.
Incoming connections should be blocked on port 4040, or at least restricted by the firewall. If not, anyone with access to the network will be able to access the Weave Scope dashboard.
Intezer has also published IoCs here, which should also be blocked.