The hacking group TeamTNT, notorious for its cryptojacking campaigns, has re-emerged with a new attack targeting Virtual Private Servers (VPS) running on the CentOS operating system. Active since 2019, TeamTNT has previously attacked Linux systems, Redis servers, Docker containers, and Kubernetes clusters, exploiting misconfigurations and weak security practices.
According to cybersecurity researchers from Group-IB, the group’s latest campaign begins with a brute-force Secure Shell (SSH) attack on vulnerable systems. Once access is gained, TeamTNT deploys a malicious script that disables security defenses, deletes logs, modifies system files, and removes existing cryptocurrency miners.
The attack further involves the installation of the Diamorphine rootkit, a loadable kernel module (LKM) rootkit for Linux, enabling covert control over the compromised server. The rootkit allows attackers to hide processes, execute commands silently, and escalate user privileges to root.
Additionally, the hackers create a backdoor user with root access, add it to the sudoers group, and upload a public key to maintain persistent SSH access. They also lock system files, making it difficult for administrators to recover the compromised systems.
Security experts warn that TeamTNT’s focus on CentOS, particularly version 7, which lacks security updates since its discontinuation, leaves these systems highly vulnerable to such attacks. The group’s ability to exploit cloud-native technologies like Docker and Kubernetes underscores the growing risks associated with securing cloud infrastructure.
To mitigate the threat, security teams are advised to harden SSH configurations, monitor for rootkits, and regularly update security patches. Restricting SSH access to trusted IP addresses, configuring firewalls, and securing containerized environments are also critical measures to prevent future intrusions.
This resurgence highlights the ongoing evolution of cloud threats, with TeamTNT continuing to adapt their tactics to exploit weaknesses in cloud deployments.