Hackers Use Cloud Monitoring Tool to Install CryptominersReports: TeamTNT Using Weave Scope Tool to Target Cloud Platforms
TeamTNT, a recently uncovered hacking group, is weaponizing Weave Scope, a legitimate cloud monitoring tool, to help install cryptominers in cloud environments, according to reports from Microsoft and Intezer.
The hacking group, which security researchers first spotted in May, uses botnets to help install cryptominers in vulnerable or unprotected Docker containers as well as Kubernetes instances. In August, researchers found the hackers were stealing Amazon Web Services credentials (see: Cryptomining Botnet Steals AWS Credentials).
In the latest update to their cryptomining campaign, the group is leveraging Weave Scope - an open-source cloud monitoring tool from Weave Works that integrates with Docker, Kubernetes and Amazon Web Services Elastic Compute Cloud - to gain access to these platforms and install malicious code, the reports note.
"The uniqueness of the recent attack observed by Intezer is that the group abuses a legitimate open source tool to gain full control over the victim's cloud infrastructure," Nicole Fishbein, a malware researcher at Intezer, notes in the report. "By installing a legitimate tool such as Weave Scope, the attackers reap all the benefits as if they had installed a backdoor on the server with significantly less effort and without needing to use malware."
The Microsoft report notes that the current campaign has been active since at least mid-August, and researchers detected the malicious activities from a server located in Germany.
The Attack Method
The recently discovered TeamTNT attacks begin with the hackers scanning the internet for exposed Docker API ports using the open source tool Masscan, the Intezer report notes. The hackers then create a new container with a clean Ubuntu image with privileged access, the report adds.
Microsoft has tracked two images that are deployed by the attackers as part of this campaign. The first image, identified as hildeteamtnt/pause-amd64:3.4, works on Docker API servers and tracks the connection to the service, the report notes. The second image, pause-amd64:3.3, focuses on running cryptocurrency mining and tracks Azure and Kubernetes clusters.
Once TeamTNT has successfully established its initial foothold in the targeted victim's cloud environment, the hackers proceed to gain root access to the server and then download several types of cryptominers, according to Intezer.
The attackers then install Weave Scope to connect to the victim’s cloud server using a dashboard, which then provides full visibility and control over the infrastructure, the reports note.
"From the dashboard, the attackers can see a visual map of the Docker runtime cloud environment and give shell commands without needing to deploy any malicious backdoor component," Fishbein says.
Since the two reports were published, Weave Works issued an advisory about how to ensure that its tool is not used by hackers.
Over the past several months, researchers have uncovered a number of cryptomining campaigns targeting cloud platforms and containers.
In June, researchers at Palo Alto Networks' Unit 42 discovered a cryptomining campaign that used malicious Docker images to hide cryptocurrency mining code (see: Hackers Used Malicious Docker Images to Mine Monero).
That same month, Microsoft's Azure Security Center warned about a hacking campaign targeting the Kubeflow platform on Kubernetes, which then uses the XMRig cryptominer to mine for monero (see: Kubeflow Targeted in XMRig Monero Cryptomining Campaign).