Hackers abusing legitimate cloud monitoring tool to infiltrate Linux environments

TeamTNT has been caught using the genuine Weave Scope Docker and Kubernetes tool as an effective backdoor to target servers

Cyber criminals are abusing a trusted Docker and Kubernetes cloud monitoring tool to map the networks of their victims and execute system commands.

Having previously been known to use malicious Docker images to infect victims’ servers, TeamTNT has now been observed using Weave Scope as an effective backdoor into the cloud networking infrastructure of its targets, according to analysis by Intezer.

Weave Scope is a trusted tool that gives users full access to their cloud environment, and is integrated with Docker, Kubernetes, the Distributed Cloud Operating System (DC/OS) and the AWS Elastic Compute Cloud (ECS). Hackers, however, have illicitly deployed this tool to map out the environments of prospective victims, and execute system commands without the need to deploy malicious code. 

"To our knowledge, this is the first time attackers have been caught using legitimate third party software to target cloud infrastructure," said Intezer security researcher Nicole Fishbein. "When abused, Weave Scope gives the attacker full visibility and control over all assets in the victim’s cloud environment, essentially functioning as a backdoor."

"By installing a legitimate tool such as Weave Scope the attackers reap all the benefits as if they had installed a backdoor on the server, with significantly less effort and without needing to use malware," she adds. 

The open-source tool, developed by Weave Works, providers monitoring and visualisation over Docker and Kubernetes servers, with users gaining full control over the infrastructure through a dashboard accessible through a web browser.

When successfully abused, attackers are granted access to all information about the server environment, in addition to the ability to install applications, establish connections between cloud workloads, and start or stop or open interactive shells in containers. 

This degree of functionality is equivalent to an attacker having installed a backdoor on the server, with significantly less effort and without needing to use malware, Fishbein added.

Related Resource

Special report: Enterprises across Europe, the Middle East and Africa slowly embrace cybersecurity challenges

Organisations are undergoing what is perhaps the most significant transformation in a generation

To install Weave Scope, a hacker would need to use an exposed Docker API port and create a new privileged container with a clean Ubuntu image. This container would then be configured to mount the file system of the container to the file system of the victim server, and therefore grant attackers access to all files on the server. 

The initial command, as observed by Intezer, was to download and execute several cryptominers. The attacker then attempted to gain root access to the server by setting up a local privileged user on the host server, using this to connect back via Secure Shell (SSH). The attackers subsequently downloaded and installed Weave Scope, which, once launched, connected the cyber criminals with the Weave Scope dashboard via HTTP on port 4040.

From this dashboard, the hackers can see a visual map of the Docker runtime cloud environment and give shell commands without deploying any backdoor. This is the first time that an attacker, to Intezer’s knowledge, has downloaded legitimate software to be used as an admin tool on the Linux operating system.

The cyber security firm has recommended that organisations close any exposed Docker API ports to prevent the initial infiltration, given this attack takes advantage of a common misconfiguration of the Docker API. All Docker API ports should, therefore, be either closed or contain restricted access policies in the firewall.

Organisations should also block incoming connections to port 4040 given Weave Scope uses this as a default to make the dashboard accessible. This port should also be closed or restricted by the firewall.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

Best Linux distros 2020
operating systems

Best Linux distros 2020

18 May 2020
What is open source?
Software

What is open source?

29 Apr 2020
WireGuard VPN bundled into latest Linux release
Linux

WireGuard VPN bundled into latest Linux release

31 Mar 2020
View from the airport: Linux Open Networking Summit 2019
open source

View from the airport: Linux Open Networking Summit 2019

1 Oct 2019

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go
Cloud

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020