In a chilling reminder of the persistent threat posed by cybercriminals, the hacking group TeamTNT has resurfaced with a new campaign aimed specifically at Virtual Private Server (VPS) infrastructures running on the CentOS operating system. Known primarily for their cryptojacking activities, TeamTNT has been active since at least 2019, exploiting vulnerabilities in Linux and Redis servers, as well as misconfigured Docker containers and Kubernetes clusters. This article delves into their latest tactics, the implications for security, and the measures organizations can take to protect themselves.
Overview of TeamTNT’s Attack Campaign
Recent reports from Group-IB researchers reveal that TeamTNT’s current campaign begins with a Secure Shell (SSH) brute force attack on their targets. This attack vector allows them to gain unauthorized access to vulnerable servers, particularly those running CentOS 7. Once inside, the attackers upload a malicious script designed to compromise system integrity and control.
SSH Brute Force Attack
The initial phase of the attack involves the use of automated tools to execute brute force attempts on SSH. This method exploits weak or default credentials, enabling the hackers to gain entry into the system. Once access is established, the malicious script is uploaded, initiating a series of damaging actions.
Execution of the Malicious Script
The script has several nefarious functions:
- Disabling Security Features: It can turn off firewalls and other protective measures, leaving the system vulnerable.
- Deleting Logs: By erasing log files, attackers can hide their activities, complicating any post-incident investigations.
- Modifying System Files: Key system files may be altered to maintain control or facilitate further exploitation.
Cryptojacking and Resource Hijacking
A hallmark of TeamTNT’s operations is cryptojacking, where the attackers use compromised servers to mine cryptocurrency. The malicious script actively seeks out existing mining processes, terminates them, and then reconfigures the server to mine for the attackers instead. This not only affects the performance of the server but also incurs financial costs for the affected organization.
The Role of the Diamorphine Rootkit
A particularly alarming feature of this attack is the installation of the Diamorphine rootkit, a loadable kernel module (LKM) for Linux systems. This rootkit enables the attacker to maintain covert control over the compromised server with capabilities that include:
- Silent Execution: Running processes without detection.
- Process Manipulation: Hiding or un-hiding any processes, complicating detection efforts.
- Privilege Escalation: Allowing the attacker to grant any user root access by sending specific signals.
Persistence and Control
To ensure continued access, the script creates a backdoor user with root privileges and adds this user to the ‘sudoer’ group. It also installs a public key for SSH access, allowing the attacker to return at any time without needing to breach the server again.
Moreover, the script locks down the system by modifying file attributes, making it difficult for administrators to recover compromised files or revert changes.
The Vulnerability of CentOS
The focus on CentOS, particularly version 7, is significant due to several factors:
1. Widespread Use
Despite its discontinuation, CentOS 7 is still deployed widely across various organizations, especially among those that have yet to migrate to alternative distributions.
2. Lack of Security Updates
With CentOS 7 no longer receiving official security patches, systems running this OS are left vulnerable. Known vulnerabilities remain unaddressed, making these systems prime targets for attackers.
3. Misconfigurations
Many VPS environments are not configured with security best practices in mind. This negligence further increases the risk of exploitation.
Security Implications for Cloud Infrastructures
As highlighted by cybersecurity experts, the resurgence of TeamTNT underscores the growing complexity of securing cloud infrastructures. Callie Guenther, a senior manager of cyber threat research at Critical Start, notes, “With cloud-native technologies like Kubernetes and Docker, attackers can exploit misconfigurations and weak security practices to take control of resources.”
Organizations must recognize that cloud technologies, while offering significant advantages, also introduce new vulnerabilities that can be exploited if not properly secured.
Best Practices for Mitigation
To safeguard against attacks like those from TeamTNT, organizations are advised to adopt a multi-layered security approach. Here are several key measures to implement:
1. Strengthen SSH Configurations
- Disable Root Login: Prevent direct root access via SSH; instead, use regular user accounts with sudo privileges.
- Key-Based Authentication: Implement SSH key-based authentication rather than relying on passwords, which can be easily guessed or cracked.
- Change Default Ports: Alter the default SSH port (22) to a non-standard port to reduce exposure to automated attacks.
2. Regularly Monitor for Rootkits
- Use Detection Tools: Implement tools like rkhunter or chkrootkit to scan for rootkits and other malicious software.
- Conduct Audits: Regularly review system integrity and logs to detect unauthorized changes or suspicious activities.
3. Secure Containerized Environments
- Limit Resource Permissions: Ensure that Docker containers and Kubernetes clusters operate with the principle of least privilege, restricting access to only necessary resources.
- Update and Patch Regularly: Stay current with updates for all software and container images to mitigate known vulnerabilities.
4. Apply Security Patches
- Upgrade to Supported Versions: Consider migrating to a supported operating system, such as Rocky Linux or AlmaLinux, to receive ongoing security updates.
- Automate Patch Management: Use tools to automate the patching process, reducing the risk of human error.
5. Configure Firewalls and Network Controls
- Restrict Access: Utilize firewalls to permit only essential services and limit SSH access to specific IP addresses.
- Intrusion Detection Systems: Implement IDS/IPS solutions to monitor network traffic for suspicious activities.
Conclusion
The resurgence of TeamTNT’s attacks on CentOS VPS environments serves as a critical reminder for organizations to take cyber threats seriously. As cloud technologies evolve, so do the tactics of threat actors, highlighting the urgent need for enhanced security measures. By implementing best practices and remaining vigilant, organizations can significantly reduce their risk of falling victim to cryptojacking and other malicious activities.
The digital landscape is continually changing, and proactive security strategies are essential for safeguarding valuable resources.
Frequently Asked Questions (FAQs) about TeamTNT Hackers Targeting VPS Servers
What is TeamTNT?
TeamTNT is a hacking group known for its cryptojacking activities, primarily targeting cloud infrastructures, especially those running Linux-based systems.
How does TeamTNT conduct its attacks?
TeamTNT typically uses SSH brute force attacks to gain unauthorized access to VPS servers, where they upload malicious scripts to compromise system integrity.
What is cryptojacking?
Cryptojacking is the unauthorized use of someone else’s computing resources to mine cryptocurrency, often done without the owner’s knowledge.
How can I protect my VPS from TeamTNT attacks?
To protect against such attacks, you should strengthen SSH configurations, regularly monitor for rootkits, secure containerized environments, apply security patches, and configure firewalls to restrict access.
Why is CentOS particularly vulnerable to these attacks?
CentOS, especially version 7, is vulnerable due to its widespread use and lack of security updates following its discontinuation, making systems running it prime targets for exploitation.
References
Baran, G. (2024, September 20). TeamTNT Hackers Attacking VPS Servers Running CentOS. Retrieved from Cyber Security News: https://cybersecuritynews.com/vps-servers-running-centos-under-attack/
