How TeamTNT Hijacked Cloud Infrastructure Using Weave Scope

Abusing Open Source Tools

In a recent attack, the cyber‑crime group TeamTNT used a legitimate open‑source tool to avoid deploying malicious code on compromised cloud infrastructure while still maintaining full control.

The attackers employed a tool specifically designed for monitoring and controlling Docker and Kubernetes environments, which reduced the resource footprint on the infected servers.

Intezer researchers discovered that TeamTNT installed the open‑source Weave Scope tool to gain comprehensive control over the victim’s cloud infrastructure. This appears to be the first known case of a legitimate third‑party tool being abused as a backdoor in cloud environments, underscoring the group’s increasing sophistication.

Weave Scope integrates seamlessly with Docker, Kubernetes, DC/OS, and AWS Elastic Compute Cloud (ECS). It provides a complete visual view of processes, containers, and hosts, and can control installed applications.

According to Intezer’s report, the attackers installed the tool to visualize the victim’s cloud environment and execute system commands without needing to place malicious code on the servers.

The attack chain began with the exploitation of a publicly exposed Docker API, allowing the creation of a clean Ubuntu container that was then deployed on the victim’s server to access host files. The attackers created a local user named “hilde,” connected via SSH, and installed Weave Scope using only three commands: download, set permissions, and launch.

With the utility in place, TeamTNT could connect through HTTP on port 4040 (the default Scope dashboard port) to the Scope interface, thereby obtaining control.

Researchers note that closing the Docker API port or enforcing restricted access policies could have prevented this rare scenario. Another misconfiguration was allowing external network access to the Scope dashboard; the tool’s documentation explicitly advises against exposing port 4040 to the internet.

In early May, TeamTNT attracted security researchers’ attention when MalwareHunterTeam mentioned the crypto‑mining gang, and Trend Micro disclosed that the attackers scanned the internet for open Docker daemon ports.

Last month, UK‑based Cado Security released a report providing evidence that TeamTNT’s crypto‑mining worm can also steal AWS credentials and configuration files from Docker and Kubernetes instances.