Security researchers caught attackers in the act of using legitimate third-party software to target their victims’ cloud infrastructure for cryptomining.

Cryptominer Weaves Its Way Through Its Victims’ Systems

In the beginning of September, Intezer revealed that it had spotted a new attack campaign in which the TeamTNT threat group attempted to gain visibility of and control over victims’ cloud-based systems.

They did so by misusing Weave Scope. An open-source tool developed by Weave Works, Weave Scope provides automation and monitoring. To be specific, it works with Docker and Kubernetes environments. These features grant a user full control over their cloud infrastructure, including all metadata relating to their containers and hosts.

TeamTNT first used an exposed Docker API port to create a privileged container with a clean Ubuntu image. This container was privileged to the extent that its configuration allowed the attackers to mount its file system to the victim server’s file system. This enabled TeamTNT to access all the files stored on that server.

At that point in the attack chain, the threat group commanded the privileged container to run multiple cryptominers. It then attempted to gain root access by setting up a local privileged user named ‘hilde’ on the host server and using that account to connect back via Secure Shell.

After downloading and installing Weave Scope, TeamTNT attempted to connect to the tool via HTTP on port 4040. A successful connection enabled the threat group to issue commands without needing to download other backdoors or malware.

Origins of a Cryptomining Worm

TeamTNT has been launching strikes into cloud infrastructure for several months.

News of the threat group first emerged in mid-August 2020 when Cado Security observed the attackers using a cryptomining worm to specifically steal and exfiltrate victims’ Amazon Web Services credentials to a server under their control.

The researchers sent some canary token credentials to the attackers’ server. However, at the time it was last analyzed, TeamTNT had not used them yet. The researchers at Cado Security interpreted this delay as a sign of one of two things: perhaps the attackers reviewed victims’ credentials before using them or their automation features were broken.

Using code stolen from the Kinsing worm, TeamTNT’s cryptomining worm scanned for open Docker APIs, spun up new Docker images and installed itself. The threat group used these propagation techniques to distribute the XMRig Monero-mining tool. Along with it came a secure shell post-exploitation solution, a log cleaning mechanism, a rootkit and a backdoor throughout a victim’s infrastructure.

Cado Security found that the worm had affected at least 119 systems. So far, these have included included Kubernetes clusters and Jenkins build servers.

How to Defend Against Threats Like Cryptominers

Groups like TeamTNT highlight the need for thorough protection around cloud systems. You can follow the advice of Intezer and Cado Security to delete unneeded Amazon Web Services credential files, to close or restrict access to Docker application programming interfaces, to review network traffic for links back to cryptomining pools and to consider blocking incoming connections to port 4040.

More generally, change your approach to cloud security. One good way to start is to motivate teams according to the fixes that actually improve security. They can then use an ongoing vulnerability management program along with regular penetration testing exercises to advance their security efforts.

Last but not least, they should consider using a hybrid cloud platform that unlocks artificial intelligence for business by automating the AI life cycle across all phases and transferring lessons from pre-trained models. This solution should also transparently govern and manage drift and risk while dynamically adapting to evolving outcomes.