A cybercrime group that has previously struck Docker and Kubernetes cloud environments has evolved to repurpose genuine cloud monitoring tools as a backdoor to carry out malicious attacks, according to new research.
“To our knowledge, this is the first time attackers have been caught using legitimate third party software to target cloud infrastructure,” Israeli cybersecurity firm Intezer said in a Tuesday analysis.
Using software called Weave Scope, which is used as a visualization and monitoring tool for Docker and Kubernetes services, the TeamTNT threat actor not only mapped the cloud environment of their victims but also executed system commands without having to deploy malicious code on the target server explicitly.
TeamTNT has been active at least since late April this year, directing their attacks on misconfigured Docker ports to install a cryptocurrency mining malware and a Distributed Denial-of-Service (DDoS) bot.
Then last month, the crypto-mining gang updated their modus operandi to exfiltrate Amazon Web Services (AWS) logins by scanning the infected Docker and Kubernetes systems for sensitive credential information stored in AWS credentials and config files.