Weave Scope, a cloud computing tool, has been hijacked by hacking group TeamTNT to map cloud environments and execute commands. The attackers are able to abuse an exposed Docker API port to create a new privileged container. They then deploy Weave Scope to control the cloud environment so they can execute shell commands for their cryptomining attack, according to security firm Intezer.
More from Intezer:
- This is the first time an attacker has exploited legitimate software as an administrative tool on the Linux operating system.
- Intezer recommends companies close the exposed Docker API ports and block connections to port 4040, which is used to access the Weave Scope dashboard
- Weave Scope gives users full access to their cloud environment and is integrated with Docker, Kubernetes, the Distributed Cloud Operating System, and AWS Elastic Compute Cloud.