{
	"id": "066e22fe-bf5f-4fa9-a8aa-45a5c4558501",
	"created_at": "2026-04-06T00:12:42.948695Z",
	"updated_at": "2026-04-10T03:27:04.691343Z",
	"deleted_at": null,
	"sha1_hash": "a44a575f120ca7935e006a0b1bf6e5f40ee69e17",
	"title": "Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 270017,
	"plain_text": "Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct\r\nCyber Attacks\r\nBy Nicole Fishbein\r\nPublished: 2020-09-08 · Archived: 2026-04-02 11:38:40 UTC\r\nIntroduction\r\nTeamTNT is a cybercrime group that targets cloud environments including Docker and Kubernetes instances. The\r\ngroup has been previously documented using several tools including crypto-miners and Amazon Web Services\r\n(AWS) credential stealing worms.\r\nTeamTNT has also been spotted using a malicious Docker image which can be found on Docker Hub to infect its\r\nvictims’ servers. Now the group is evolving. In a recent attack observed by Intezer, TeamTNT uses a new\r\ntechnique by abusing Weave Scope, a trusted tool which gives the user full access to their cloud environment and\r\nis integrated with Docker, Kubernetes, the Distributed Cloud Operating System (DC/OS), and AWS Elastic\r\nCompute Cloud (ECS). The attackers install this tool in order to map the cloud environment of their victim and\r\nexecute system commands without deploying malicious code on the server.\r\nTo our knowledge, this is the first time attackers have been caught using legitimate third party software to\r\ntarget cloud infrastructure. When abused, Weave Scope gives the attacker full visibility and control over all\r\nassets in the victim’s cloud environment, essentially functioning as a backdoor.\r\nBelow we will describe the attack flow and the use of Weave Scope by the attacker.\r\nAttack Flow\r\nTeamTNT’s attacks typically involve the use of malicious Docker images from the Docker Hub in addition\r\nto crypto-miners and malicious scripts. The uniqueness of the recent attack observed by Intezer is the group\r\nabuses a legitimate open source tool called Weave Scope to gain full control over the victim’s cloud infrastructure.\r\nWeave Scope is an open source tool from Weave Works, a company that offers automation tools for working with\r\ncontainerized applications. It provides monitoring, visualization, and control over Docker and Kubernetes. Using a\r\ndashboard accessible from the browser the user gains full control over the infrastructure including all information\r\nand metadata about containers, processes, and hosts.\r\nWeave Scope is a powerful utility, giving the attackers access to all information about the victim’s server\r\nenvironment with the ability to control them including: installed applications, connection between the cloud\r\nworkloads, use of the memory and CPU, and a list of existing containers with the ability to start, stop, and open\r\ninteractive shells in any of these containers. By installing a legitimate tool such as Weave Scope the attackers reap\r\nall the benefits as if they had installed a backdoor on the server, with significantly less effort and without needing\r\nto use malware.\r\nhttps://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/\r\nPage 1 of 4\n\nThe image above is a Weave Scope visualization of a Linux server. On the left is the open terminal of a Nginx-based container. On the right is a view of all the containers on the server.\r\nTo install Weave Scope on the server the attackers use an exposed Docker API port and create a new privileged\r\ncontainer with a clean Ubuntu image. The container is configured to mount the file system of the container to the\r\nfilesystem of the victim server, thus gaining the attackers access to all files on the server. The initial command\r\ngiven to the container is to download and execute several cryptominers.\r\nThe attackers then attempt to gain root access to the server by setting up a local privileged user named ‘hilde’ on\r\nthe host server and use it in order to connect back via SSH.\r\nNext the attackers download and install Weave Scope. As described in the installation guide in Weave Scope’s git,\r\nit takes only a few commands to complete installation of the tool.\r\nOnce installed, the attackers can connect to the Weave Scope dashboard via HTTP on port 4040 and gain full\r\nvisibility and control over the victim’s infrastructure.\r\nFrom the dashboard the attackers can see a visual map of the Docker runtime cloud environment and give shell\r\ncommands without needing to deploy any malicious backdoor component. Not only is this scenario incredibly\r\nrare, to our knowledge this is the first time an attacker has downloaded legitimate software to use as an admin tool\r\non the Linux operating system.\r\nhttps://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/\r\nPage 2 of 4\n\nMitigation Recommendations\r\nPrecise and correct configuration of cloud workloads and services can prevent many attacks which is why it’s\r\nimportant to take the time and effort to check them. To protect yourself from this attack we recommend to:\r\nClose exposed Docker API ports: This attack takes advantage of a common misconfiguration of the\r\nDocker API which gives the attacker full control over the Docker service. Therefore, Docker API ports\r\nshould be closed or contain restricted access policies in the firewall.\r\nBlock incoming connections to port 4040: Weave Scope uses default port 4040 to make the dashboard\r\naccessible and anyone with access to the network can view the dashboard. Similar to the Docker API port,\r\nthis port should be closed or restricted by the firewall.\r\nBlock the IOCs provided below.\r\nCheck out our article Best Practice for Securing a Docker Runtime environment.\r\nTake advantage of the free Intezer Protect community edition to protect your Linux cloud servers and\r\ncontainers in runtime against unauthorized code.\r\nApply Zero Trust Execution to Your Workloads\r\nZero Trust Execution is viewed by market research firms as the best practice for securing cloud workloads for\r\nreasons like the nature of this TeamTNT attack. ZTE creates a trusted baseline of your workloads and monitors for\r\nany new process or injected code. Any unauthorized code or applications that drift from the pre-approved baseline\r\nare blocked from running in your cloud environment, allowing you to retain a trusted state.\r\nIn this scenario, although Weave Scope is a legitimate administration tool (it’s not malware and therefore doesn’t\r\ncontain malicious code), the application was still flagged by ZTE because it’s unauthorized code that deviates\r\nfrom the trusted baseline.\r\nThis article explains how you can adopt a genetic-based ZTE approach to alleviate some of the high overhead\r\ncaused by traditional implementations.\r\nUpdate from Weave Works\r\nWeave Works has since provided this in-depth article on how to prevent malicious attacks using Weave Scope.\r\nThe article covers both how Scope is used and how you can prevent it being misused by securing it in any\r\nKubernetes installation.\r\nA special thank you to Idan Katz for his contribution to this research.\r\nIOCs\r\n85[.]214.149.236\r\nhttps://iplogger[.]org/2Xvkv5\r\n24d7d21c3675d66826da0372369ec3e8\r\nhttps://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/\r\nPage 3 of 4\n\n8c6681daba966addd295ad89bf5146af\r\n656eca480e2161e8645f9b29af7e4762\r\n8ffdba0c9708f153237aabb7d386d083\r\n45385f7519c11a58840931ee38fa3c7b\r\nSource: https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/\r\nhttps://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/"
	],
	"report_names": [
		"attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks"
	],
	"threat_actors": [
		{
			"id": "f809bfcb-b200-4988-80a8-be78ef6a52ef",
			"created_at": "2023-01-06T13:46:39.186988Z",
			"updated_at": "2026-04-10T02:00:03.240002Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"Adept Libra"
			],
			"source_name": "MISPGALAXY:TeamTNT",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4",
			"created_at": "2022-10-25T15:50:23.334495Z",
			"updated_at": "2026-04-10T02:00:05.264841Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"TeamTNT"
			],
			"source_name": "MITRE:TeamTNT",
			"tools": [
				"Peirates",
				"MimiPenguin",
				"LaZagne",
				"Hildegard"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434362,
	"ts_updated_at": 1775791624,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a44a575f120ca7935e006a0b1bf6e5f40ee69e17.pdf",
		"text": "https://archive.orkl.eu/a44a575f120ca7935e006a0b1bf6e5f40ee69e17.txt",
		"img": "https://archive.orkl.eu/a44a575f120ca7935e006a0b1bf6e5f40ee69e17.jpg"
	}
}