November 23, 2020 By David Bisson 2 min read

Security researchers caught attackers in the act of using legitimate third-party software to target their victims’ cloud infrastructure for cryptomining.

Cryptominer Weaves Its Way Through Its Victims’ Systems

In the beginning of September, Intezer revealed that it had spotted a new attack campaign in which the TeamTNT threat group attempted to gain visibility of and control over victims’ cloud-based systems.

They did so by misusing Weave Scope. An open-source tool developed by Weave Works, Weave Scope provides automation and monitoring. To be specific, it works with Docker and Kubernetes environments. These features grant a user full control over their cloud infrastructure, including all metadata relating to their containers and hosts.

TeamTNT first used an exposed Docker API port to create a privileged container with a clean Ubuntu image. This container was privileged to the extent that its configuration allowed the attackers to mount its file system to the victim server’s file system. This enabled TeamTNT to access all the files stored on that server.

At that point in the attack chain, the threat group commanded the privileged container to run multiple cryptominers. It then attempted to gain root access by setting up a local privileged user named ‘hilde’ on the host server and using that account to connect back via Secure Shell.

After downloading and installing Weave Scope, TeamTNT attempted to connect to the tool via HTTP on port 4040. A successful connection enabled the threat group to issue commands without needing to download other backdoors or malware.

Origins of a Cryptomining Worm

TeamTNT has been launching strikes into cloud infrastructure for several months.

News of the threat group first emerged in mid-August 2020 when Cado Security observed the attackers using a cryptomining worm to specifically steal and exfiltrate victims’ Amazon Web Services credentials to a server under their control.

The researchers sent some canary token credentials to the attackers’ server. However, at the time it was last analyzed, TeamTNT had not used them yet. The researchers at Cado Security interpreted this delay as a sign of one of two things: perhaps the attackers reviewed victims’ credentials before using them or their automation features were broken.

Using code stolen from the Kinsing worm, TeamTNT’s cryptomining worm scanned for open Docker APIs, spun up new Docker images and installed itself. The threat group used these propagation techniques to distribute the XMRig Monero-mining tool. Along with it came a secure shell post-exploitation solution, a log cleaning mechanism, a rootkit and a backdoor throughout a victim’s infrastructure.

Cado Security found that the worm had affected at least 119 systems. So far, these have included included Kubernetes clusters and Jenkins build servers.

How to Defend Against Threats Like Cryptominers

Groups like TeamTNT highlight the need for thorough protection around cloud systems. You can follow the advice of Intezer and Cado Security to delete unneeded Amazon Web Services credential files, to close or restrict access to Docker application programming interfaces, to review network traffic for links back to cryptomining pools and to consider blocking incoming connections to port 4040.

More generally, change your approach to cloud security. One good way to start is to motivate teams according to the fixes that actually improve security. They can then use an ongoing vulnerability management program along with regular penetration testing exercises to advance their security efforts.

Last but not least, they should consider using a hybrid cloud platform that unlocks artificial intelligence for business by automating the AI life cycle across all phases and transferring lessons from pre-trained models. This solution should also transparently govern and manage drift and risk while dynamically adapting to evolving outcomes.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today