The notorious hacking group TeamTNT has returned with a new campaign targeting Virtual Private Server (VPS) infrastructures running on the CentOS operating system. This attack highlights the escalating complexity of securing cloud environments.
Brute Force Attack and Malicious Script
TeamTNT initiates the attack with a brute force assault on SSH services. Once successful, they upload a malicious script designed to disable security features, erase logs, and modify system files. The script also targets cryptocurrency mining processes, removes Docker containers, and updates DNS settings on Google’s servers.
Diamorphine Rootkit
The malicious script installs the Diamorphine rootkit, which provides the attacker with covert execution capabilities on the compromised host. It can conceal or unhide processes and grant root privileges to any user.
Custom Tools for Persistence
TeamTNT employs custom tools to maintain control over the system. They create a backdoor user with root access, add it to the sudoer group, and install a public key for SSH access. Additionally, file attributes are modified to lock down the system and hinder recovery efforts.
Targeting CentOS VPS
CentOS version 7, which is widely used despite its discontinuation, is a primary target for TeamTNT. Its lack of up-to-date security patches makes these systems vulnerable to exploitation.
Mitigation Strategies
To mitigate these threats, security teams should implement the following measures:
- Strengthen SSH configurations
- Monitor for rootkits
- Secure containerized environments
- Apply the latest security patches
- Configure firewalls to limit access
- Restrict SSH access to specific IP addresses
Conclusion
The TeamTNT attack is a testament to the evolving tactics of threat actors as cloud technologies advance. Cybersecurity experts emphasize the necessity for enhanced security measures in cloud deployments to address these emerging risks.
