Friday, March 29, 2024

Beware! Hackers Attack AWS EC2 Workloads to Steal Credentials

Cybersecurity experts at Trend Micro have recently identified that hackers are actively attacking the Amazon Web Services (AWS) EC2 workloads to steal credentials.

By exploiting this tool, hackers get the ability to exfiltrate essential data like access keys and tokens. 

In this case, the hackers sent the stolen data to a domain under their control. On the AWS-owned domain, amazonaws.com to accomplish this task threat actors used the technique called typosquatting.

Attack Flow

There was a report earlier that legitimate tools are being abused for nefarious purposes with the abuse of Weave Scope specifically.

It was determined that the attacker made use of an exposed Docker REST API server to gain access to the honeypot that was planted by the researchers during this attempt, which is common practice for threat actors such as TeamTNT to leverage.

AWS EC2

Within the container, the attackers mounted the host’s root directory on the path </host> in the container, which corresponded to the underlying host’s root directory on the host.

In this case, rather than any other command being supplied that should have been executed by the container during the creation procedure, a script named init.sh was executed.

While there are two variable that are declared and here we have mentioned them:-

  • SCOPE_SH, a Base64-encoded string that installs Weave Scope
  • WS_TOKEN, a  secret access token that can be used to include hosts in fleets

Functions of the script

After analyzing the script, cybersecurity analysts have concluded that there are five primary functions that are offered by this script. These functions are mainly used by attackers during attacks for several types of implementations and deployments.

Here below we have mentioned the 5 primary functions offered by the script:-

  • main
  • wssetup
  • checkkey
  • getrange
  • rangescan

Domain analysis

To resolve the domain, the IP addresses used by the attackers depict the strong connection between the following domains with the TeamTNT threat group:-

  • amazon2aws[.]com
  • teamtnt[.]red
AWS EC2

It is no secret that cybercriminals are constantly sharpening their arsenal, testing, developing, and abusing tools and platforms meant for legitimate purposes.

The adoption of cloud platforms by many companies has entailed the building of malicious tools by attackers to exploit the services that are available in the cloud.

  • In terms of being defenders, it is important that we keep in mind the following points:-
  • It is imperative to know what attackers are targeting after they have gained entry into the system.
  • To disable them, there are a number of methods that need to be used.
  • For them to be disarmed, there needs to be a set of methods.
  • Removal of threats using different security procedures.

Network Security Checklist – Download Free E-Book

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles