Cybersecurity experts at Trend Micro have recently identified that hackers are actively attacking the Amazon Web Services (AWS) EC2 workloads to steal credentials.
By exploiting this tool, hackers get the ability to exfiltrate essential data like access keys and tokens.
In this case, the hackers sent the stolen data to a domain under their control. On the AWS-owned domain, amazonaws.com to accomplish this task threat actors used the technique called typosquatting.
Attack Flow
There was a report earlier that legitimate tools are being abused for nefarious purposes with the abuse of Weave Scope specifically.
It was determined that the attacker made use of an exposed Docker REST API server to gain access to the honeypot that was planted by the researchers during this attempt, which is common practice for threat actors such as TeamTNT to leverage.
Within the container, the attackers mounted the host’s root directory on the path </host> in the container, which corresponded to the underlying host’s root directory on the host.
In this case, rather than any other command being supplied that should have been executed by the container during the creation procedure, a script named init.sh was executed.
While there are two variable that are declared and here we have mentioned them:-
- SCOPE_SH, a Base64-encoded string that installs Weave Scope
- WS_TOKEN, a secret access token that can be used to include hosts in fleets
Functions of the script
After analyzing the script, cybersecurity analysts have concluded that there are five primary functions that are offered by this script. These functions are mainly used by attackers during attacks for several types of implementations and deployments.
Here below we have mentioned the 5 primary functions offered by the script:-
- main
- wssetup
- checkkey
- getrange
- rangescan
Domain analysis
To resolve the domain, the IP addresses used by the attackers depict the strong connection between the following domains with the TeamTNT threat group:-
- amazon2aws[.]com
- teamtnt[.]red
It is no secret that cybercriminals are constantly sharpening their arsenal, testing, developing, and abusing tools and platforms meant for legitimate purposes.
The adoption of cloud platforms by many companies has entailed the building of malicious tools by attackers to exploit the services that are available in the cloud.
- In terms of being defenders, it is important that we keep in mind the following points:-
- It is imperative to know what attackers are targeting after they have gained entry into the system.
- To disable them, there are a number of methods that need to be used.
- For them to be disarmed, there needs to be a set of methods.
- Removal of threats using different security procedures.
Network Security Checklist – Download Free E-Book
 EC2 workloads to steal credentials.){kind=link}