An attack group is using an open source visualization and monitoring tool for cloud environments to compromise Docker and Kubernetes systems, researchers warned.
The TeamTNT attack group uses Weave Scope, a monitoring, visualization, and control software for Docker, Kubernetes, Distributed Cloud Operating System (DC/OS), and Amazon Web Services Elastic Compute Cloud (EC2), as a backdoor to map the targeted environment and execute commands, security company Intezer and Microsoft said in separate blog posts.A legitimate monitoring tool integrated in to cloud platforms, Weave Scope lets users watch the container’s running processes and network connections, as well as to run shells in clusters as root. Weave Scope does not require authentication by default to use.
“When abused, Weave Scope gives the attacker full visibility and control over all assets in the victim’s cloud environment, essentially functioning as a backdoor,” wrote Intezer security researcher Nicole Fishbein.
TeamTNT is taking advantage of a misconfiguration that exposes a Docker API port to deploy the software as a type of backdoor to the cloud environment. Microsoft said it has seen cluster administrators enable public access to this interface and other similar services.
Attackers “take advantage of this misconfiguration and use the public access to compromise Kubernetes clusters,” Microsoft said.
The group creates a new privileged container and then uses the exposed port to mount the container’s file system on to the targeted server. The container both loads and executes cryptocurrency miners. The second phase of the attack involves setting up a local privileged user on the host server and connecting to it over SSH.
Once the attackers are connected to the host server, they can use Weave Scope to map the infrastructure, monitor individual systems, install applications, consume computing resources, and execute shell commands in containers.
“Not only is this scenario incredibly rare, to our knowledge this is the first time an attacker has downloaded legitimate software to use as an admin tool on the Linux operating system,” Fishbein said.
TeamTNT previously employed a worm against Docker and Kubernetes systems. The group has been linked to a cryptocurrency-mining botnet which steals AWS credentials from servers. The attackers have also relied on malicious Docker images uploaded to Docker Hub to compromise cloud environments. The switch to Weave Scope meant TeamTNT no longer needed to rely on malware on compromised machines.
Attackers abusing built-in administrator capabilities and tools have an easier time hiding their activities from security teams and network administrators. Security tools can look for signs of malware, but in this scenario, there is no malware. The defenders have to try to identify when a legitimate tool is being used in an unauthorized manner.
Organizations should close the exposed Docker API port and bock incoming connections to port 4040, Microsoft recommended. Weave Works, the company behind Weave Scope, has also released an advisory on how administrators can protect the tool from abuse. The company said Scope should not be run as a public server, and it should run in read-only mode, not with administrator privileges. Weave Works also recommended deploying the tool with an authentication service so that only authorized users can access the tool.
"Misconfigured services seem to be among the most popular and dangerous access vectors when it comes to attacks against Kubernetes clusters," said Microsoft.