TeamTNT Attack Highlights the Need for Cloud Governance

We’ve all heard about people exposing vast databases by accident in the cloud, but what about those hapless cloud admins that hand over the reins to their container-based applications? It’s a growing trend, and it’s a symptom of the same problem: poor configuration.

In September, a cybercrime group called TeamTNT attacked cloud infrastructures using a tool called Weave Scope from Weaveworks, which is a visualization and monitoring tool for Docker and Kubernetes environments in the cloud. According to Intezer, TeamTNT used an exposed Docker API to install the service. A separate analysis by Microsoft suggested that the hackers took advantage of Weave Scope installations that were public-facing and required no authentication.

Either way, TeamTNT initially accessed a resource that shouldn’t have been publicly accessible, and this isn’t the first time, either. The team was caught in August stealing AWS credentials and there have been other similar attacks which, while not naming TeamTNT, certainly bear its hallmarks.

These attacks are clearly profitable for TeamTNT. Its modus operandi involves installing cryptomining software onto compromised accounts and using their computing power to generate Monero cryptocurrency. The group resurfaced at the end of September after Docker closed down its malicious Docker Hub account, and has now been found targeting vulnerable Redis servers. It also now has a new cryptominer called Black-T, which includes network scanning capabilities, according to researchers at Unit 42.

Exposed data interfaces in the cloud are a long-standing problem for poorly-trained cloud users. Leaky S3 buckets and misconfigured Elasticsearch instances spout sensitive records by the billion, but this recent spate of container breaches highlights again how important it is to lock down cloud operations.

There are many moving parts to that puzzle, but it begins by ensuring that your sensitive cloud-based services and APIs are sealed off from public view. Intezer advises closing exposed Docker API ports and also blocking incoming connections to port 4040, which is Weave Scope’s default access port. Weaveworks published its own advice on protective measures here.

What’s Hot on Infosecurity Magazine?