Overview: Latest Attack by TeamTNT
The latest attack by TeamTNT uses monitoring tool Weave Scope to gain administrative access to cloud environments. The TeamTNT attack targets Docker, Kubernetes, Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud instances. TeamTNT has a history of compromising cloud environments with a variety of tools and attack methods.
Tactics, Techniques, and Procedures
With this method TeamTNT can avoid deploying malicious code or modifying the tool being utilized. The tool in question, Weave Scope, is used to monitor and administer cloud environments using a centralized dashboard. It allows TeamTNT to perform reconnaissance activity by viewing the configuration of the various systems as well as provide backdoor access.
Download this free ebook on "Everything you need to know to create an Effective Incident Response Plan."
Exposed Docker API
The attack chain starts by identifying exposed Docker API ports and then launching the creation of a privileged container running a clean Ubuntu image. The new container is configured to mount the file system used by the target server. The initial setup has the new malicious container download and install various cryptominers. TeamTNT then sets ssh with a privileged user account and uses the curl command to download Weave Scope. From there, the threat actor sets up Weave Scope per the instructions provided by the vendor.
Once Weave Scope is installed successfully, TeamTNT can run shell commands and view the cloud environment using a web-based dashboard over port 4040.
Business Unit Impact
- May result in the loss of control over critical cloud assets.
- Cloud lead to heavy resource usage as various miners execute in the environment.
- Could provide privileged access to sensitive data on potentially multiple containers.
It is highly encouraged that external access to Docker API ports be blocked. Consider blocking the indicators of compromise using the blocklist linked below. It may be worthwhile to restrict or block access to port 4040 in your environment.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.