Preventing malicious use of Weave Scope

Hackers from the TeamTNT group have been exploiting an exposed Docker API endpoint to deploy Weave Scope, a legitimate server management tool, in order to gain unauthorized access to and control over compromised systems. This vulnerability allows attackers to gain root access to the host operating system and entire Kubernetes environment, making it easier to scan for vulnerabilities, exfiltrate data, and deploy additional malicious workloads. The article emphasizes the need for securing Docker and Kubernetes deployments, as they are unsecured by default, and suggests using tools like Falco to detect anomalies and prevent the deployment of unauthorized images. Additionally, it recommends conducting thorough security audits, protecting the Docker API port, and implementing image scanning policies to detect and block the deployment of Weave Scope and similar tools.