Cybercriminals Are Using Legit Cloud Monitoring Tools As Backdoor

A cybercrime team that has formerly struck Docker and Kubernetes cloud environments has developed to repurpose authentic cloud monitoring applications as a backdoor to carry out malicious attacks, according to new investigation.

“To our know-how, this is the 1st time attackers have been caught employing authentic 3rd occasion software program to goal cloud infrastructure,” Israeli cybersecurity firm Intezer stated in a Tuesday evaluation.

Utilizing computer software termed Weave Scope, which is used as a visualization and checking tool for Docker and Kubernetes providers, the TeamTNT risk actor not only mapped the cloud environment of their victims but also executed program instructions without having having to deploy destructive code on the target server explicitly.


TeamTNT has been active at least given that late April this yr, directing their assaults on misconfigured Docker ports to install a cryptocurrency mining malware and a Distributed Denial-of-Provider (DDoS) bot.

Then last month, the crypto-mining gang up to date their modus operandi to exfiltrate Amazon Internet Providers (AWS) logins by scanning the contaminated Docker and Kubernetes programs for delicate credential facts stored in AWS qualifications and config data files.

Though their system of gaining preliminary foothold has not transformed, what has been tweaked is the mode of gaining management over the infected host’s infrastructure alone.

DDoS attack

When the attackers observed their way in, they set up a new privileged container with a thoroughly clean Ubuntu graphic, utilizing it to down load and execute cryptominers, attain root access to the server by producing a nearby privileged person named ‘hilde’ to join to the server by means of SSH, and sooner or later put in Weave Scope.

“By setting up a reputable resource these kinds of as Weave Scope the attackers enjoy all the gains as if they experienced put in a backdoor on the server, with drastically fewer exertion and without needing to use malware,” Intezer’s Nicole Fishbein said.

Whilst the top aim of TeamTNT seems to be generating dollars by means of cryptocurrency mining, many teams that have resorted to deploying cryptojacking worms are profitable at compromising company units in aspect simply because of uncovered API endpoints, generating them an interesting focus on for cybercriminals.

It is recommended that Docker API endpoints are access limited to reduce adversaries from taking regulate in excess of the servers.

“Weave Scope employs default port 4040 to make the dashboard obtainable and anybody with entry to the community can see the dashboard. Related to the Docker API port, this port should be shut or limited by the firewall,” the cybersecurity business explained.

Fibo Quantum