Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Researchers Spot First Cloud Attack Abusing Legitimate Tool

A hacking group was observed employing a legitimate tool to gain visibility into and control of compromised cloud environments, threat detection and response company Intezer reported on Tuesday.

A hacking group was observed employing a legitimate tool to gain visibility into and control of compromised cloud environments, threat detection and response company Intezer reported on Tuesday.

Referred to as TeamTNT, the group was previously seen employing a worm to target Docker and Kubernetes systems in order to search for and exfiltrate local credentials, including AWS login information. The hackers deploy cryptocurrency miners onto the affected machines.

In a recent attack, however, the adversary no longer deployed malware onto the compromised systems. Instead, Weave Scope was used to map the cloud environment and execute commands.

Weave Scope provides monitoring, visualization, and control capabilities for Docker and Kubernetes, Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS), as well as seamless integration with all of them.

The TeamTNT attacks, Intezer explains, usually start with malicious Docker images that are hosted on Docker Hub, but also involve the use of crypto-miners and malicious scripts. The new attack also revealed the abuse of the legitimate open source Weave Scope tool to take over the victim’s cloud infrastructure.

An exposed Docker API port is abused to create a new privileged container on which a clean Ubuntu image runs. The attackers configure the container so that its file system is mounted to that of the victim server, thus gaining access to the files on the server.

Next, the attackers instruct the container to download and run crypto-miners, after which they attempt to elevate privileges to root by setting a local privileged user ‘hilde’ on the host server and connecting through it via SSH.

At this point, Weave Scope is downloaded and installed, to control the victim’s cloud environment. The Weave Scope dashboard displays a visual map of the Docker infrastructure and allows the attackers to execute shell commands without installing malware.

“Not only is this scenario incredibly rare, to our knowledge this is the first time an attacker has downloaded legitimate software to use as an admin tool on the Linux operating system,” Intezer notes.

To stay protected, organizations are advised to close exposed Docker API ports (the attackers gain access through misconfigured Docker API) and block incoming connections to port 4040 (used to access the Weave Scope dashboard). They should also follow best practices when securing Docker environments, and install a security solution to protect Linux cloud servers and containers.

Employing the Zero Trust Execution (ZTE) policy for workloads should also prevent TeamTNT attacks, as it creates a baseline of workloads and monitors for and blocks any unauthorized code or applications from executing. Although a legitimate tool, Weave Scope would be flagged by ZTE for deviating from the trusted baseline.

Related: Crypto-Mining Worm Targets AWS Credentials

Related: XORDDoS, Kaiji DDoS Botnets Target Docker Servers

Related: Misconfigured Docker Registries Expose Thousands of Repositories

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack