Threat Watch

TeamTNT Leverages Weave Scope in New Attacks Targeting Cloud Environments

Originally reported by ZDNet, TeamTNT is a hacking crew most recently attributed to a cryptocurrency mining botnet able to steal Amazon Web Services (AWS) credentials from servers. Recently, the group has begun using an open source visualization and monitoring software, Weave Scope, as a backdoor. The software permits administrators to run shells in container clusters as root and does not require authentication by default, making it a prime target for threat actors. Additionally, it allows TeamTNT to map any Docker system that has been compromised.

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

TeamTNT typically accesses Docker servers through misconfigurations that expose port 4040 (Docker Container Services port). Because of this, Binary Defense recommends blocking incoming connections to that port, which should be the case in correctly configured Docker servers. For more information, please read: https://www.zdnet.com/article/weave-scope-is-now-being-exploited-in-attacks-against-cloud-environments/

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support