Researchers at Intezer have decoded the way a cybercrime group called TeamTNT had taken over the Kubernetes and Docker platforms. The attackers have used a legitimate third-party tool called Weave Scope to access the target’s Kubernetes and Docker platforms, and researchers said it would have been prevented if the Docker API and port 4040 weren’t exposed.
Kubernetes and Docker Hacked by a Legitimate Tool
Since the antivirus softwares are improving to detect new malwares, attackers have improved with a new technique, that eliminates the use of injecting any malicious entirely! TeamTNT, a cybercrime group that’s previously noted for cryptojacking activities, and have been scanning the internet for open Docker Daemon ports.
And now, they’ve found a new way of breaching a server without leaving any footprints. This by using an open-source third-party tool called Weaver Scope tool. Researchers at Intezer has documented the latest attack on Docker and Kubernetes platform.
They said that attackers have initially found an open Docker API, which allowed them to install a configured Ubuntu container in the target server, thereby gaining access to files on the host. They then proceeded to make a local user account named “hilde” with elevated privileges and used it to connect to the server via SSH.
After gaining this elevated access, they installed the Weave Scope onto the target system, which needed just three commands to download, set permission through the Scope app, and launch. Weaver Scope tool helps to manage the container servers, and it well integrates with Kubernetes, Docker, AWS Elastic Compute Cloud (ECS) and Distributed Cloud Operating System (DC/OS).
Since it gives full details of processes, containers and hosts of the server it’s running on, it lets the operator control installed applications. With this power, TeamTNT connected to their Weave Scope dashboard via HTTP on port 4040 and taken over the platforms.
Researchers termed this attack as rare, and first-time legitimate tools were being used for compromising the Docker platform. Also, they claimed this could have prevented if the Docker API and 4040 ports were closed or restricted access.
Other Trending News:- News