November 23, 2020 By David Bisson 2 min read

Security researchers caught attackers in the act of using legitimate third-party software to target their victims’ cloud infrastructure for cryptomining.

Cryptominer Weaves Its Way Through Its Victims’ Systems

In the beginning of September, Intezer revealed that it had spotted a new attack campaign in which the TeamTNT threat group attempted to gain visibility of and control over victims’ cloud-based systems.

They did so by misusing Weave Scope. An open-source tool developed by Weave Works, Weave Scope provides automation and monitoring. To be specific, it works with Docker and Kubernetes environments. These features grant a user full control over their cloud infrastructure, including all metadata relating to their containers and hosts.

TeamTNT first used an exposed Docker API port to create a privileged container with a clean Ubuntu image. This container was privileged to the extent that its configuration allowed the attackers to mount its file system to the victim server’s file system. This enabled TeamTNT to access all the files stored on that server.

At that point in the attack chain, the threat group commanded the privileged container to run multiple cryptominers. It then attempted to gain root access by setting up a local privileged user named ‘hilde’ on the host server and using that account to connect back via Secure Shell.

After downloading and installing Weave Scope, TeamTNT attempted to connect to the tool via HTTP on port 4040. A successful connection enabled the threat group to issue commands without needing to download other backdoors or malware.

Origins of a Cryptomining Worm

TeamTNT has been launching strikes into cloud infrastructure for several months.

News of the threat group first emerged in mid-August 2020 when Cado Security observed the attackers using a cryptomining worm to specifically steal and exfiltrate victims’ Amazon Web Services credentials to a server under their control.

The researchers sent some canary token credentials to the attackers’ server. However, at the time it was last analyzed, TeamTNT had not used them yet. The researchers at Cado Security interpreted this delay as a sign of one of two things: perhaps the attackers reviewed victims’ credentials before using them or their automation features were broken.

Using code stolen from the Kinsing worm, TeamTNT’s cryptomining worm scanned for open Docker APIs, spun up new Docker images and installed itself. The threat group used these propagation techniques to distribute the XMRig Monero-mining tool. Along with it came a secure shell post-exploitation solution, a log cleaning mechanism, a rootkit and a backdoor throughout a victim’s infrastructure.

Cado Security found that the worm had affected at least 119 systems. So far, these have included included Kubernetes clusters and Jenkins build servers.

How to Defend Against Threats Like Cryptominers

Groups like TeamTNT highlight the need for thorough protection around cloud systems. You can follow the advice of Intezer and Cado Security to delete unneeded Amazon Web Services credential files, to close or restrict access to Docker application programming interfaces, to review network traffic for links back to cryptomining pools and to consider blocking incoming connections to port 4040.

More generally, change your approach to cloud security. One good way to start is to motivate teams according to the fixes that actually improve security. They can then use an ongoing vulnerability management program along with regular penetration testing exercises to advance their security efforts.

Last but not least, they should consider using a hybrid cloud platform that unlocks artificial intelligence for business by automating the AI life cycle across all phases and transferring lessons from pre-trained models. This solution should also transparently govern and manage drift and risk while dynamically adapting to evolving outcomes.

More from News

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today