Threat Watch

TeamTNT Leverages Weave Scope in New Attacks Targeting Cloud Environments

Originally reported by ZDNet, TeamTNT is a hacking crew most recently attributed to a cryptocurrency mining botnet able to steal Amazon Web Services (AWS) credentials from servers. Recently, the group has begun using an open source visualization and monitoring software, Weave Scope, as a backdoor. The software permits administrators to run shells in container clusters as root and does not require authentication by default, making it a prime target for threat actors. Additionally, it allows TeamTNT to map any Docker system that has been compromised.

ANALYST NOTES

TeamTNT typically accesses Docker servers through misconfigurations that expose port 4040 (Docker Container Services port). Because of this, Binary Defense recommends blocking incoming connections to that port, which should be the case in correctly configured Docker servers. For more information, please read: https://www.zdnet.com/article/weave-scope-is-now-being-exploited-in-attacks-against-cloud-environments/