A notorious hacking group known as TeamTNT has resurfaced with a new campaign targeting Virtual Private Server (VPS) infrastructures running on the CentOS operating system.
The group, known for its cryptojacking activities, has been active since at least 2019 and has previously targeted Linux and Redis servers, as well as misconfigured Docker containers and Kubernetes clusters.
According to a recent report by Group-IB researchers, the latest campaign begins with a Secure Shell (SSH) brute force attack on the victim’s assets, during which the threat actor uploads a malicious script.
The script is designed to disable security features, delete logs, and modify system files while searching for existing miners. It also kills cryptocurrency mining processes, removes Docker containers, and updates DNS settings on Google’s servers.
Meet the CISOs, Join the Virtual Panel to Learn compliance – Join Free
The malicious script installs the Diamorphine rootkit, a loadable kernel module (LKM) rootkit for Linux kernels, which allows the attacker to execute malicious activities on the compromised host covertly.
The rootkit provides features such as silent execution, the ability to hide/unhide any process, and the capability to make any user root by sending a signal.
The threat actor also uses custom tools to maintain persistence and control over the compromised system. The script creates a backdoor user with root access, adds it to the ‘sudoer’ group, and installs a public key to allow secure access via SSH.
Group-IB said that the script also locks down the system by modifying file attributes, preventing the system administrator from unlocking protected files and hindering recovery efforts.
Security experts warn that the resurgence of TeamTNT highlights the growing complexity of securing cloud infrastructures.
“With cloud-native technologies like Kubernetes and Docker, attackers can exploit misconfigurations and weak security practices to take control of resources,” said Callie Guenther, senior manager of cyber threat research at Critical Start.
The use of CentOS, particularly version 7, which is still widely used despite its discontinuation, makes these systems vulnerable to attacks.
“TeamTNT’s focus on CentOS VPS instances is significant because these systems often lack up-to-date security patches, making them vulnerable,” researchers said.
To mitigate these threats, security teams are advised to strengthen SSH configurations, monitor for rootkits, and ensure containerized environments are secured.
Additionally, implementing security countermeasures such as applying the latest security patches, configuring firewalls to allow only essential services, and restricting SSH access to a select set of IP addresses can help prevent these attacks.
The latest campaign attributed to TeamTNT underscores the need for enhanced security measures in cloud deployments. As cloud technologies continue to evolve, so do the tactics of threat actors.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial