November 23, 2020 By David Bisson 2 min read

Security researchers caught attackers in the act of using legitimate third-party software to target their victims’ cloud infrastructure for cryptomining.

Cryptominer Weaves Its Way Through Its Victims’ Systems

In the beginning of September, Intezer revealed that it had spotted a new attack campaign in which the TeamTNT threat group attempted to gain visibility of and control over victims’ cloud-based systems.

They did so by misusing Weave Scope. An open-source tool developed by Weave Works, Weave Scope provides automation and monitoring. To be specific, it works with Docker and Kubernetes environments. These features grant a user full control over their cloud infrastructure, including all metadata relating to their containers and hosts.

TeamTNT first used an exposed Docker API port to create a privileged container with a clean Ubuntu image. This container was privileged to the extent that its configuration allowed the attackers to mount its file system to the victim server’s file system. This enabled TeamTNT to access all the files stored on that server.

At that point in the attack chain, the threat group commanded the privileged container to run multiple cryptominers. It then attempted to gain root access by setting up a local privileged user named ‘hilde’ on the host server and using that account to connect back via Secure Shell.

After downloading and installing Weave Scope, TeamTNT attempted to connect to the tool via HTTP on port 4040. A successful connection enabled the threat group to issue commands without needing to download other backdoors or malware.

Origins of a Cryptomining Worm

TeamTNT has been launching strikes into cloud infrastructure for several months.

News of the threat group first emerged in mid-August 2020 when Cado Security observed the attackers using a cryptomining worm to specifically steal and exfiltrate victims’ Amazon Web Services credentials to a server under their control.

The researchers sent some canary token credentials to the attackers’ server. However, at the time it was last analyzed, TeamTNT had not used them yet. The researchers at Cado Security interpreted this delay as a sign of one of two things: perhaps the attackers reviewed victims’ credentials before using them or their automation features were broken.

Using code stolen from the Kinsing worm, TeamTNT’s cryptomining worm scanned for open Docker APIs, spun up new Docker images and installed itself. The threat group used these propagation techniques to distribute the XMRig Monero-mining tool. Along with it came a secure shell post-exploitation solution, a log cleaning mechanism, a rootkit and a backdoor throughout a victim’s infrastructure.

Cado Security found that the worm had affected at least 119 systems. So far, these have included included Kubernetes clusters and Jenkins build servers.

How to Defend Against Threats Like Cryptominers

Groups like TeamTNT highlight the need for thorough protection around cloud systems. You can follow the advice of Intezer and Cado Security to delete unneeded Amazon Web Services credential files, to close or restrict access to Docker application programming interfaces, to review network traffic for links back to cryptomining pools and to consider blocking incoming connections to port 4040.

More generally, change your approach to cloud security. One good way to start is to motivate teams according to the fixes that actually improve security. They can then use an ongoing vulnerability management program along with regular penetration testing exercises to advance their security efforts.

Last but not least, they should consider using a hybrid cloud platform that unlocks artificial intelligence for business by automating the AI life cycle across all phases and transferring lessons from pre-trained models. This solution should also transparently govern and manage drift and risk while dynamically adapting to evolving outcomes.

More from News

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

3,000 “ghost accounts” on GitHub spreading malware

3 min read - In the past, cyber criminals directly distributed malware on GitHub using encrypted scripting code or malicious executables. But now threat actors are turning to a new tactic to spread malware: creating ghost accounts. A highly effective malware campaign Check Point Research recently exposed a new distribution-as-a-service (DaaS) network, referred to as the Stargazers Ghost Network, that has been spreading malware on GitHub for at least a year. Because the accounts perform typical activities as well, users did not realize that…

Warren Buffett’s warning highlights growing risk of cyber insurance losses

3 min read - The United States cyber insurance industry continues to see strong profits, according to Fitch Ratings. Average premium increases, meanwhile, have moderated over the last three years: While 2021 saw a 34% jump in premium pricing and costs rose 15% in 2022, increases were under 1% in 2023.As noted by the Fitch Ratings report, "segment underwriting profitability at current levels is unsustainable as cyber insurance pricing is likely to remain flat or down going forward." While this is good news for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today