Cybercriminals Are Using Legit Cloud Monitoring Tools As Backdoor
Ravie Lakshmanan - September 09, 2020
Ravie Lakshmanan - September 09, 2020
[SHOWTOGROUPS=4,20,22]
Для просмотра ссылки Войдиили Зарегистрируйся
A cybercrime group that has previously struck Docker and Kubernetes cloud environments has evolved to repurpose genuine cloud monitoring tools as a backdoor to carry out malicious attacks, according to new research.
"To our knowledge, this is the first time attackers have been caught using legitimate third party software to target cloud infrastructure," Israeli cybersecurity firm Intezer said in a Для просмотра ссылки Войдиили Зарегистрируйся analysis.
Using software called Для просмотра ссылки Войдиили Зарегистрируйся, which is used as a visualization and monitoring tool for Docker and Kubernetes services, the TeamTNT threat actor not only mapped the cloud environment of their victims but also executed system commands without having to deploy malicious code on the target server explicitly.
TeamTNT has been active at least since Для просмотра ссылки Войдиили Зарегистрируйся this year, directing their attacks on Для просмотра ссылки Войди или Зарегистрируйся to install a cryptocurrency mining malware and a Distributed Denial-of-Service (DDoS) bot.
Then Для просмотра ссылки Войдиили Зарегистрируйся, the crypto-mining gang updated their modus operandi to exfiltrate Amazon Web Services (AWS) logins by scanning the infected Docker and Kubernetes systems for sensitive credential information stored in Для просмотра ссылки Войди или Зарегистрируйся files.
While their method of gaining initial foothold hasn't changed, what has been tweaked is the mode of gaining control over the infected host's infrastructure itself.
Для просмотра ссылки Войдиили Зарегистрируйся
Once the attackers found their way in, they set up a new privileged container with a clean Ubuntu image, using it to download and execute cryptominers, gain root access to the server by creating a local privileged user named 'hilde' to connect to the server via SSH, and eventually install Weave Scope.
"By installing a legitimate tool such as Weave Scope the attackers reap all the benefits as if they had installed a backdoor on the server, with significantly less effort and without needing to use malware," Intezer's Nicole Fishbein said.
Although the ultimate goal of TeamTNT appears to be generating cash via cryptocurrency mining, numerous groups that have resorted to Для просмотра ссылки Войдиили Зарегистрируйся are successful at compromising enterprise systems in part because of exposed API endpoints, making them an attractive target for cybercriminals.
It's recommended that Docker API endpoints are access restricted to prevent adversaries from taking control over the servers.
"Weave Scope uses default port 4040 to make the dashboard accessible and anyone with access to the network can view the dashboard. Similar to the Docker API port, this port should be closed or restricted by the firewall," the cybersecurity firm said.
[/SHOWTOGROUPS]
Для просмотра ссылки Войди
A cybercrime group that has previously struck Docker and Kubernetes cloud environments has evolved to repurpose genuine cloud monitoring tools as a backdoor to carry out malicious attacks, according to new research.
"To our knowledge, this is the first time attackers have been caught using legitimate third party software to target cloud infrastructure," Israeli cybersecurity firm Intezer said in a Для просмотра ссылки Войди
Using software called Для просмотра ссылки Войди
TeamTNT has been active at least since Для просмотра ссылки Войди
Then Для просмотра ссылки Войди
While their method of gaining initial foothold hasn't changed, what has been tweaked is the mode of gaining control over the infected host's infrastructure itself.
Для просмотра ссылки Войди
Once the attackers found their way in, they set up a new privileged container with a clean Ubuntu image, using it to download and execute cryptominers, gain root access to the server by creating a local privileged user named 'hilde' to connect to the server via SSH, and eventually install Weave Scope.
"By installing a legitimate tool such as Weave Scope the attackers reap all the benefits as if they had installed a backdoor on the server, with significantly less effort and without needing to use malware," Intezer's Nicole Fishbein said.
Although the ultimate goal of TeamTNT appears to be generating cash via cryptocurrency mining, numerous groups that have resorted to Для просмотра ссылки Войди
It's recommended that Docker API endpoints are access restricted to prevent adversaries from taking control over the servers.
"Weave Scope uses default port 4040 to make the dashboard accessible and anyone with access to the network can view the dashboard. Similar to the Docker API port, this port should be closed or restricted by the firewall," the cybersecurity firm said.
[/SHOWTOGROUPS]
