- WHY AVERTIUM?
-
-
Why Avertium?
Context over chaos. Disconnected technologies, siloed data, and reactive processes can only get you so far. Protecting businesses in today’s threat landscape demands more than a set of security tools – it requires context.
That's where Avertium comes in
-
Considering Microsoft?
Avertium Named Microsoft Security Solutions PartnerAvertium’s managed services for Microsoft Security Solutions is delivered through the company’s premium service: Fusion MXDR. Fusion MXDR includes 24x7 monitoring and management of Defender for Endpoint and Sentinel, threat intelligence, attack surface
monitoring, and vulnerability management for Microsoft Security customers.
-
-
- SOLUTIONS
- COMPANY
- PARTNERS
-
-
Our Partners
Best-in-class technology from our partners... backed by service excellence from Avertium.
-
Partner Opportunity Registration
Interested in becoming a partner?
With Avertium's deal registration, partners can efficiently and confidently connect with Avertium on opportunities to protect your deals.
-
-
- NEWS & RESOURCES
- CONTACT
Overview: Latest Attack by TeamTNT
The latest attack by TeamTNT uses the monitoring tool Weave Scope to gain administrative access to cloud environments. The TeamTNT attack targets Docker, Kubernetes, Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud instances. TeamTNT has a history of compromising cloud environments with a variety of tools and attack methods.
Tactics, Techniques, and Procedures
With this method, TeamTNT can avoid deploying malicious code or modifying the tool being utilized. The tool in question, Weave Scope, is used to monitor and administer cloud environments using a centralized dashboard. It allows TeamTNT to perform reconnaissance activity by viewing the configuration of the various systems as well as provide backdoor access.
Download this free ebook on "Everything you need to know to create an Effective Incident Response Plan."
Exposed Docker API
The attack chain starts by identifying exposed Docker API ports and then launching the creation of a privileged container running a clean Ubuntu image. The new container is configured to mount the file system used by the target server. The initial setup has the new malicious container download and installs various crypto miners. TeamTNT then sets ssh with a privileged user account and uses the curl command to download Weave Scope. From there, the threat actor sets up Weave Scope per the instructions provided by the vendor.
Once Weave Scope is installed successfully, TeamTNT can run shell commands and view the cloud environment using a web-based dashboard over port 4040.
Business Unit Impact
- May result in the loss of control over critical cloud assets.
- Clouds lead to heavy resource usage as various miners execute in the environment.
- Could provide privileged access to sensitive data on potentially multiple containers.
Our Recommendations
It is highly encouraged that external access to Docker API ports is blocked. Consider blocking the indicators of compromise using the blocklist linked below. It may be worthwhile to restrict or block access to port 4040 in your environment.
Sources
https://otx.alienvault.com/pulse/5f58ff8e319f59c6e46496b1
Supporting Documentation:
MITRE Mapping(s)
- https://attack.mitre.org/techniques/T1021/
- https://attack.mitre.org/techniques/T1219/
- https://attack.mitre.org/techniques/T1526/
- https://attack.mitre.org/techniques/T1538/
- https://attack.mitre.org/techniques/T1078/004/
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.