November 23, 2020 By David Bisson 2 min read

Security researchers caught attackers in the act of using legitimate third-party software to target their victims’ cloud infrastructure for cryptomining.

Cryptominer Weaves Its Way Through Its Victims’ Systems

In the beginning of September, Intezer revealed that it had spotted a new attack campaign in which the TeamTNT threat group attempted to gain visibility of and control over victims’ cloud-based systems.

They did so by misusing Weave Scope. An open-source tool developed by Weave Works, Weave Scope provides automation and monitoring. To be specific, it works with Docker and Kubernetes environments. These features grant a user full control over their cloud infrastructure, including all metadata relating to their containers and hosts.

TeamTNT first used an exposed Docker API port to create a privileged container with a clean Ubuntu image. This container was privileged to the extent that its configuration allowed the attackers to mount its file system to the victim server’s file system. This enabled TeamTNT to access all the files stored on that server.

At that point in the attack chain, the threat group commanded the privileged container to run multiple cryptominers. It then attempted to gain root access by setting up a local privileged user named ‘hilde’ on the host server and using that account to connect back via Secure Shell.

After downloading and installing Weave Scope, TeamTNT attempted to connect to the tool via HTTP on port 4040. A successful connection enabled the threat group to issue commands without needing to download other backdoors or malware.

Origins of a Cryptomining Worm

TeamTNT has been launching strikes into cloud infrastructure for several months.

News of the threat group first emerged in mid-August 2020 when Cado Security observed the attackers using a cryptomining worm to specifically steal and exfiltrate victims’ Amazon Web Services credentials to a server under their control.

The researchers sent some canary token credentials to the attackers’ server. However, at the time it was last analyzed, TeamTNT had not used them yet. The researchers at Cado Security interpreted this delay as a sign of one of two things: perhaps the attackers reviewed victims’ credentials before using them or their automation features were broken.

Using code stolen from the Kinsing worm, TeamTNT’s cryptomining worm scanned for open Docker APIs, spun up new Docker images and installed itself. The threat group used these propagation techniques to distribute the XMRig Monero-mining tool. Along with it came a secure shell post-exploitation solution, a log cleaning mechanism, a rootkit and a backdoor throughout a victim’s infrastructure.

Cado Security found that the worm had affected at least 119 systems. So far, these have included included Kubernetes clusters and Jenkins build servers.

How to Defend Against Threats Like Cryptominers

Groups like TeamTNT highlight the need for thorough protection around cloud systems. You can follow the advice of Intezer and Cado Security to delete unneeded Amazon Web Services credential files, to close or restrict access to Docker application programming interfaces, to review network traffic for links back to cryptomining pools and to consider blocking incoming connections to port 4040.

More generally, change your approach to cloud security. One good way to start is to motivate teams according to the fixes that actually improve security. They can then use an ongoing vulnerability management program along with regular penetration testing exercises to advance their security efforts.

Last but not least, they should consider using a hybrid cloud platform that unlocks artificial intelligence for business by automating the AI life cycle across all phases and transferring lessons from pre-trained models. This solution should also transparently govern and manage drift and risk while dynamically adapting to evolving outcomes.

More from News

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today