The cybercrime group TeamTNT known for its attacks on Docker and Kubernetes cloud environments, has switched to a new tactic, which allows it to take over Docker and Kubernetes instances without planting malicious code on servers.
The hackers are now using a legitimate tool called Weave Scope, which gives the user full access to their cloud environment and is integrated with Docker, Kubernetes, the Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS) in order to map the cloud environment of their victim and execute system commands, according to a new research fr om Intezer.
The firm said this is a first known case wh ere attackers use legit third-party software as a backdoor that gives them full access to targeted cloud environments.
The initial stage of attack involves the hackers using an exposed Docker API port to create a new privileged container with a clean Ubuntu image on a server. This container is configured to mount the file system of the container to the filesystem of the victim server allowing the attackers to get access to all files on the server. The hackers then execute commands to download and execute several cryptominers. The attackers then attempt to gain root access to the server by setting up a local privileged user named ‘hilde’ on the host server and use it in order to connect back via SSH.
In the next stage of the attack the group installs the Weave Scope utility on the server, which allows them to connect to the Weave Scope dashboard via HTTP on port 4040 and gain full visibility and control over the victim’s infrastructure.
“From the dashboard the attackers can see a visual map of the Docker runtime cloud environment and give shell commands without needing to deploy any malicious backdoor component. Not only is this scenario incredibly rare, to our knowledge this is the first time an attacker has downloaded legitimate software to use as an admin tool on the Linux operating system,” the researchers said.
To protect themselves from such attacks users are advised to close exposed Docker API ports and block incoming connections to port 4040.