TeamTNT Leverages Weave Scope in New Attacks Targeting Cloud Environments

Threat Watch

Threat Watch TeamTNT Leverages Weave Scope in New Attacks Targeting Cloud Environments

TeamTNT Leverages Weave Scope in New Attacks Targeting Cloud Environments

Originally reported by ZDNet, TeamTNT is a hacking crew most recently attributed to a cryptocurrency mining botnet able to steal Amazon Web Services (AWS) credentials from servers. Recently, the group has begun using an open source visualization and monitoring software, Weave Scope, as a backdoor. The software permits administrators to run shells in container clusters as root and does not require authentication by default, making it a prime target for threat actors. Additionally, it allows TeamTNT to map any Docker system that has been compromised.

ANALYST NOTES

TeamTNT typically accesses Docker servers through misconfigurations that expose port 4040 (Docker Container Services port). Because of this, Binary Defense recommends blocking incoming connections to that port, which should be the case in correctly configured Docker servers. For more information, please read: https://www.zdnet.com/article/weave-scope-is-now-being-exploited-in-attacks-against-cloud-environments/

The war in Ukraine and its impact on how China views Taiwan

Digging through Rust to find Gold: Extracting Secrets from Rust Malware

5 Critical Criteria for evaluating Managed Detection & Response (MDR)

How Ransomware Capabilities Are Evolving and What You Can Do to Keep Your Organization Secure

Threat Watch