Hackers abusing legitimate cloud monitoring tool to infiltrate Linux environments

TeamTNT has been caught using the genuine Weave Scope Docker and Kubernetes tool as an effective backdoor to target servers

Cyber criminals are abusing a trusted Docker and Kubernetes cloud monitoring tool to map the networks of their victims and execute system commands.

Having previously been known to use malicious Docker images to infect victims’ servers, TeamTNT has now been observed using Weave Scope as an effective backdoor into the cloud networking infrastructure of its targets, according to analysis by Intezer.

Weave Scope is a trusted tool that gives users full access to their cloud environment, and is integrated with Docker, Kubernetes, the Distributed Cloud Operating System (DC/OS) and the AWS Elastic Compute Cloud (ECS). Hackers, however, have illicitly deployed this tool to map out the environments of prospective victims, and execute system commands without the need to deploy malicious code. 

"To our knowledge, this is the first time attackers have been caught using legitimate third party software to target cloud infrastructure," said Intezer security researcher Nicole Fishbein. "When abused, Weave Scope gives the attacker full visibility and control over all assets in the victim’s cloud environment, essentially functioning as a backdoor."

"By installing a legitimate tool such as Weave Scope the attackers reap all the benefits as if they had installed a backdoor on the server, with significantly less effort and without needing to use malware," she adds. 

The open-source tool, developed by Weave Works, providers monitoring and visualisation over Docker and Kubernetes servers, with users gaining full control over the infrastructure through a dashboard accessible through a web browser.

When successfully abused, attackers are granted access to all information about the server environment, in addition to the ability to install applications, establish connections between cloud workloads, and start or stop or open interactive shells in containers. 

This degree of functionality is equivalent to an attacker having installed a backdoor on the server, with significantly less effort and without needing to use malware, Fishbein added.

Related Resource

Special report: Enterprises across Europe, the Middle East and Africa slowly embrace cybersecurity challenges

Organisations are undergoing what is perhaps the most significant transformation in a generation

To install Weave Scope, a hacker would need to use an exposed Docker API port and create a new privileged container with a clean Ubuntu image. This container would then be configured to mount the file system of the container to the file system of the victim server, and therefore grant attackers access to all files on the server. 

The initial command, as observed by Intezer, was to download and execute several cryptominers. The attacker then attempted to gain root access to the server by setting up a local privileged user on the host server, using this to connect back via Secure Shell (SSH). The attackers subsequently downloaded and installed Weave Scope, which, once launched, connected the cyber criminals with the Weave Scope dashboard via HTTP on port 4040.

From this dashboard, the hackers can see a visual map of the Docker runtime cloud environment and give shell commands without deploying any backdoor. This is the first time that an attacker, to Intezer’s knowledge, has downloaded legitimate software to be used as an admin tool on the Linux operating system.

The cyber security firm has recommended that organisations close any exposed Docker API ports to prevent the initial infiltration, given this attack takes advantage of a common misconfiguration of the Docker API. All Docker API ports should, therefore, be either closed or contain restricted access policies in the firewall.

Organisations should also block incoming connections to port 4040 given Weave Scope uses this as a default to make the dashboard accessible. This port should also be closed or restricted by the firewall.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Log-On Wave for IBM Z simplifies highly virtualized environments
virtualisation

Log-On Wave for IBM Z simplifies highly virtualized environments

16 Nov 2020
Best Linux distros 2020
operating systems

Best Linux distros 2020

18 May 2020
What is open source?
Software

What is open source?

29 Apr 2020
WireGuard VPN bundled into latest Linux release
Linux

WireGuard VPN bundled into latest Linux release

31 Mar 2020

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021