Overview: Latest Attack by TeamTNT

The latest attack by TeamTNT uses the monitoring tool Weave Scope to gain administrative access to cloud environments. The TeamTNT attack targets Docker, Kubernetes, Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud instances. TeamTNT has a history of compromising cloud environments with a variety of tools and attack methods.

Tactics, Techniques, and Procedures

With this method, TeamTNT can avoid deploying malicious code or modifying the tool being utilized. The tool in question, Weave Scope, is used to monitor and administer cloud environments using a centralized dashboard. It allows TeamTNT to perform reconnaissance activity by viewing the configuration of the various systems as well as provide backdoor access.

IR ebook


Download this free ebook on "Everything you need to know to create an Effective Incident Response Plan."


Exposed Docker API

The attack chain starts by identifying exposed Docker API ports and then launching the creation of a privileged container running a clean Ubuntu image. The new container is configured to mount the file system used by the target server. The initial setup has the new malicious container download and installs various crypto miners. TeamTNT then sets ssh with a privileged user account and uses the curl command to download Weave Scope. From there, the threat actor sets up Weave Scope per the instructions provided by the vendor.

Once Weave Scope is installed successfully, TeamTNT can run shell commands and view the cloud environment using a web-based dashboard over port 4040.

Business Unit Impact

  • May result in the loss of control over critical cloud assets.
  • Clouds lead to heavy resource usage as various miners execute in the environment.
  • Could provide privileged access to sensitive data on potentially multiple containers.

Our Recommendations

It is highly encouraged that external access to Docker API ports is blocked. Consider blocking the indicators of compromise using the blocklist linked below. It may be worthwhile to restrict or block access to port 4040 in your environment.



Supporting Documentation:

Blocklist: https://www.intezer.com/blog/cloud-workload-protection/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/

MITRE Mapping(s)

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Chat With One of Our Experts

Threat Report TeamTNT weave Scope cloud environment vulnerabilities Blog