Categories: News

Attackers transformed cloud monitoring tools into backdoor

The group known as TeamTNT managed to turn cloud monitoring tools into a backdoor. Thus, they performed malicious attacks.

TeamTNT usually targets cloud environments, including Docker and Kubernetes.

Monitoring tools, used for the first time

The cybersecurity company Intezer discovered the new attacks. ”To our knowledge, this is the first time attackers have been caught using legitimate third party software to target cloud infrastructure,” the company announced.

So, TeamTNT managed to map the cloud environment of their victims and also execute malicious code. And they did it without having to deploy malicious code on the target servers. Instead, they used a visualization and monitoring tool for Docker and Kubernetes services, called Weave Scope.

They installed crytpocurrency mining malware

The group has been known to be active since late April 2020 and they have been usually directing their attacks on misconfigured Docker ports. Through these, they installed crytpo-mining malware and also a DdoS (Distribute Denial-of-Service) bot.

In July, they managed to steal Amazon Web Services logins. To do this, they infected the Docker and Kubernetes systems for sensitive data in the AWS credentials and config files.

They changed the method of gaining control of the infected infrastructure. So, as soon as they found the way in, they used a clean Ubuntu image in order to set up a privileged container. Then they used it to gain root access by creating a privileged user. With it, they connected to the server and eventually installed Weave Scope.

Using this legitimate tool, “ the attakcers reap all the benefits as if they had installed a bakdoor on the server”, Nicole Fishbein, from Intezer, mentioned. And all this without having to use mallware.

What to do?

The security experts mentioned that there is a way to stay safe in front of such attacks.

“Weave Scope uses default port 4040 to make the dashboard accessible and anyone with access to the network can view the dashboard. Similar to the Docker API port, this port should be closed or restricted by the firewall,” the cybersecurity firm said.

Users should take these steps because although the goal of the team is to generate cash via crytpcurrency mining. Still, there were groups that managed to used cryptojacking worms to compromise enterprise systems.

In order to prevent attackers from taking control over the servers, companies should restrict access to Docker API endpoints.

Laurentiu Titei

Recent Posts

Camera Driver Download, Update, and Install on Windows 11, 10

If you wish to download and update the camera driver for Windows 11/10 to run…

21 hours ago

Fixed: Something Went Wrong 1001 Error on Windows 11 and 10

If you are also getting the Microsoft Something Went Wrong 1001 or Error Code 1001…

4 days ago

How to Fix Mouse Cursor Disappears on Windows 10/11

If you also feel that the touchpad cursor disappears/the mouse cursor disappears on a Windows…

5 days ago

How to Add or Remove Programs on Windows 10 and 11

If you want to know how to add or remove programs to and from Windows…

6 days ago

How to Download ViGEm Bus Driver Safely for Windows 11,10

If you want to download and update the ViGEm bus driver safe then you can…

7 days ago

How to Fix bootrec /fixboot Access is denied Error in Windows 11

If you are getting the bootrec /fixboot access is denied error on the Windows 11/10…

1 week ago