TeamTNT Used Compromised Docker Hub Accounts

Analysts identified several actions that the same threat actor carried out in different venues.
One was the use of Weave Scope, a legitimate tool by Weaveworks used to monitor/control deployed containers.
Weave Scope is a visualization and monitoring tool for Docker and Kubernetes. System administrators can use this to monitor and control their deployed containers/pods/workloads.
One can manage running containers by executing, rebooting, pausing, stopping or even deleting containers, all of which can be controlled from a web console (either local or in the cloud).
In this attack scenario, the compromised underlying host was made a node of the threat actor-controlled Weave Scope Cloud instance, from where they could execute various commands.

The administration features make Weave Scope an interesting target. This is how attackers targeted this recently:

1. The attacker spins up a new privileged container based on an image from a compromised account. In the arguments, the attacker attempts to mount the root file system of the underlying host to the ‘/host’ mount point and executes a bash script fetched from the attacker’s infrastructure.

2. The script ‘scope2.sh’ is downloaded and piped to ‘bash’ to be executed. The script initially checks if the hostname’s value is ‘HaXXoRsMoPPeD’ halting the execution if true. This looks like a flag to check if a system has already been compromised.

3. Environment variables are set, which overrides localization settings, prevents command history logging, and exports a new path.

4. A variable ‘SCOPE_TOKEN’ is populated from a controlled endpoint, which contains the Weave Scope service token. ‘SCOPESHFILE’ contains the Weave Scope script, which is encoded in base64.

5. The path to ‘docker’ binary is fetched using ‘type docker’. To evade any TTY events, they’re redirected to ‘/dev/null’. Based on this, the execution proceeds.

6. The file ‘/tmp/.ws’ is checked:

a. If the file doesn’t exist, the following commands are executed:

i. The ‘/tmp/’ path is remounted with read-write permissions using the ‘mount’ utility.

ii. The base64 encoded string of the ‘SCOPESHFILE’ variable is decoded and the output is redirected to ‘/tmp/.ws’. This is the Weaveworks’ script and is hidden by default since the file name begins with a ‘.

iii. The permissions of the newly created script are changed to executable using ‘chmod’

b. If the file ‘/tmp/.ws’ exists, then execution proceeds as follows:

i. The ‘/tmp/’ path is remounted as read-write using ‘mount’ utility.

ii. The Weaveworks utility Weave Scope at /tmp/.ws is stopped and launched with the service token fetched on step 4.

Based on the research, the attackers also used a well-known technique to escape from a compromised container to the host. They did this by using bind mounts and fetching the Docker Hub credentials from the following paths:

/root/.docker/config.json
/home/*/.docker/config.json

When someone logs into their Docker Hub account using the Docker command line and there are no credential stores specified, the username, password and registry server link are populated as a JSON that looks like this:

By default, the registry used is of Docker Inc. The value of ‘auths.auth’ field is the base64-encoded string that contains the credentials in the format ‘username:password’. If these credentials are compromised, one can gain access to the victims’ information:

– Email ID used to create the account
– Private Images
– Access tokens
– Slack Webhooks
– Content Subscriptions
– Upgraded features

Enumeration Of Exposed Kubelets

This attack abused the Docker REST API to create a container from an image that had a script at the filesystem path ‘/root/init.sh’, which contains the following:

1. They initially update the alpine-based container and add the packages they need in later operations, like compiling zgrab from source, using masscan, etc.

2. Once the above steps are executed, they begin the execution of their malicious function using a kill switch, which is based on the contents of a certain endpoint on the attacker’s infrastructure to be equal to ‘RUN’.

3. Once the kill switch is confirmed to be equal to ‘RUN’, the malicious PWN function is executed.

This script fetches a scan range from a malicious server endpoint. If the results fetched contain ‘ENDE’, that signals the exit of the malicious script.

The results returned by the endpoint is stored in the variable ‘SCAN_RANGE’, which is later appended to ‘.0.0.0/8’. For example, if the value returned from the endpoint is 10, then the value of ‘SCAN_RANGE’ will be ‘10.0.0.0/8’

The variable ‘rndstr’ is a six-letter random alphabetical string that accumulates a list of IP addresses of running pods with the kubelet API TCP port 10250 exposed that have been found using masscan and zgrab. Once this subnet is completed, the results are sent back to the threat actor using a for loop, which iterates over the results acquired via a website.

Once the results are sent, the kill switch loop loops back for a new subnet from the infrastructure unless all the subnets are enumerated.

The threat actor seems to do this as preparation to later target exposed kubelets.

Sign Up For Threat Alerts

Loading...
Threats Icon

Jan 29, 2023

APT15 Targets Multiple Sectors With Turian Backdoor

APT15, also known as Playful Taurus, is an advanced persistent threat (APT) that conducts a...

Threats Icon

Jan 26, 2023

Vice Society Ransomware Group Targets Manufacturing Companies

The Vice Society threat group was discovered targeting multiple sectors including manufacturing companies in Brazil....

Threats Icon

Jan 26, 2023

US Cert Alert – Alert (AA23-025A) Protecting...

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional...

Threats Icon

Jan 25, 2023

Emotet Malware Makes a Comeback with New...

The Emotet malware operation has continued to refine its tactics in an effort to fly...

Threats Icon

Jan 25, 2023

DragonSpark

The DragonSpark attacks represent the first concrete malicious activity where Analysts observe the consistent use...

Threats Icon

Jan 25, 2023

PLAY Ransomware

PLAY is simple but heavily obfuscated with a lot of unique tricks that have not...

Threats Icon

Jan 24, 2023

Gamaredon Abuses Telegram To Target Ukrainian Government...

The Gamaredon APT group was discovered targeting Ukrainian government entities using the Telegram messaging service...

Threats Icon

Jan 23, 2023

NeedleDropper: A New Dropper-as-a-Service Uncovered

Avast's Threat Research Team has since October 2022 been observing a new strain of dropper...

Threats Icon

Jan 22, 2023

Aurora Stealer Leverages Shapeshifting Tactics And Popular...

A threat actor was discovered mimicking legitimate websites to host and deliver the 9002 RAT,...

Threats Icon

Jan 19, 2023

Earth Bogle Campaign Targets Entities With Geopolitical...

Middle Eastern geopolitical themed lures were used to distribute njRAT across the Middle East and...

Threats Icon

Jan 18, 2023

The NoName057(16) Hacktivist Group Targets Ukraine Supporters...

The NoName057(16) hacktivist group targeted multiple sectors across Ukraine and neighboring countries with DDoS attacks....

Threats Icon

Jan 17, 2023

Italy Targeted By Information Stealer Malware

An un-named information stealer was targeting end users in Italy through a phishing campaign using...

Threats Icon

Jan 15, 2023

The Australian healthcare industry was targeted by...

The Australian healthcare industry was targeted by the Gootkit loader malware; initial access was gained...

Threats Icon

Jan 11, 2023

Shc Linux Malware Used To Install XMRig...

External facing Linux servers in South Korea were targeted with a Shc (Shell Script Compiler)...

Threats Icon

Jan 11, 2023

Dridex Returns To Target MacOS With Updated...

Threat actors have been seen targeting Mac users with the Dridex malware. Although the malware...