TeamTNT Hackers Targeting VPS Servers Running CentOS: What You Need to Know 

In a chilling reminder of the persistent threat posed by cybercriminals, the hacking group TeamTNT has resurfaced with a new campaign aimed specifically at Virtual Private Server (VPS) infrastructures running on the CentOS operating system. Known primarily for their cryptojacking activities, TeamTNT has been active since at least 2019, exploiting vulnerabilities in Linux and Redis servers, as well as misconfigured Docker containers and Kubernetes clusters. This article delves into their latest tactics, the implications for security, and the measures organizations can take to protect themselves. 

Overview of TeamTNT’s Attack Campaign 

Recent reports from Group-IB researchers reveal that TeamTNT’s current campaign begins with a Secure Shell (SSH) brute force attack on their targets. This attack vector allows them to gain unauthorized access to vulnerable servers, particularly those running CentOS 7. Once inside, the attackers upload a malicious script designed to compromise system integrity and control. 

SSH Brute Force Attack 

The initial phase of the attack involves the use of automated tools to execute brute force attempts on SSH. This method exploits weak or default credentials, enabling the hackers to gain entry into the system. Once access is established, the malicious script is uploaded, initiating a series of damaging actions. 

Execution of the Malicious Script 

The script has several nefarious functions: 

• Disabling Security Features: It can turn off firewalls and other protective measures, leaving the system vulnerable. 

• Deleting Logs: By erasing log files, attackers can hide their activities, complicating any post-incident investigations. 

• Modifying System Files: Key system files may be altered to maintain control or facilitate further exploitation. 

Cryptojacking and Resource Hijacking 

A hallmark of TeamTNT’s operations is cryptojacking, where the attackers use compromised servers to mine cryptocurrency. The malicious script actively seeks out existing mining processes, terminates them, and then reconfigures the server to mine for the attackers instead. This not only affects the performance of the server but also incurs financial costs for the affected organization. 

The Role of the Diamorphine Rootkit 

A particularly alarming feature of this attack is the installation of the Diamorphine rootkit, a loadable kernel module (LKM) for Linux systems. This rootkit enables the attacker to maintain covert control over the compromised server with capabilities that include: 

• Silent Execution: Running processes without detection. 

• Process Manipulation: Hiding or un-hiding any processes, complicating detection efforts. 

• Privilege Escalation: Allowing the attacker to grant any user root access by sending specific signals. 

Persistence and Control 

To ensure continued access, the script creates a backdoor user with root privileges and adds this user to the ‘sudoer’ group. It also installs a public key for SSH access, allowing the attacker to return at any time without needing to breach the server again. 

Moreover, the script locks down the system by modifying file attributes, making it difficult for administrators to recover compromised files or revert changes. 

The Vulnerability of CentOS 

The focus on CentOS, particularly version 7, is significant due to several factors: 

1. Widespread Use 

Despite its discontinuation, CentOS 7 is still deployed widely across various organizations, especially among those that have yet to migrate to alternative distributions. 

2. Lack of Security Updates 

With CentOS 7 no longer receiving official security patches, systems running this OS are left vulnerable. Known vulnerabilities remain unaddressed, making these systems prime targets for attackers. 

3. Misconfigurations 

Many VPS environments are not configured with security best practices in mind. This negligence further increases the risk of exploitation. 

Security Implications for Cloud Infrastructures 

As highlighted by cybersecurity experts, the resurgence of TeamTNT underscores the growing complexity of securing cloud infrastructures. Callie Guenther, a senior manager of cyber threat research at Critical Start, notes, “With cloud-native technologies like Kubernetes and Docker, attackers can exploit misconfigurations and weak security practices to take control of resources.” 

Organizations must recognize that cloud technologies, while offering significant advantages, also introduce new vulnerabilities that can be exploited if not properly secured. 

Best Practices for Mitigation 

To safeguard against attacks like those from TeamTNT, organizations are advised to adopt a multi-layered security approach. Here are several key measures to implement: 

1. Strengthen SSH Configurations 

• Disable Root Login: Prevent direct root access via SSH; instead, use regular user accounts with sudo privileges. 

• Key-Based Authentication: Implement SSH key-based authentication rather than relying on passwords, which can be easily guessed or cracked. 

• Change Default Ports: Alter the default SSH port (22) to a non-standard port to reduce exposure to automated attacks. 

2. Regularly Monitor for Rootkits 

• Use Detection Tools: Implement tools like rkhunter or chkrootkit to scan for rootkits and other malicious software. 

• Conduct Audits: Regularly review system integrity and logs to detect unauthorized changes or suspicious activities. 

3. Secure Containerized Environments 

• Limit Resource Permissions: Ensure that Docker containers and Kubernetes clusters operate with the principle of least privilege, restricting access to only necessary resources. 

• Update and Patch Regularly: Stay current with updates for all software and container images to mitigate known vulnerabilities. 

4. Apply Security Patches 

• Upgrade to Supported Versions: Consider migrating to a supported operating system, such as Rocky Linux or AlmaLinux, to receive ongoing security updates. 

• Automate Patch Management: Use tools to automate the patching process, reducing the risk of human error. 

5. Configure Firewalls and Network Controls 

• Restrict Access: Utilize firewalls to permit only essential services and limit SSH access to specific IP addresses. 

• Intrusion Detection Systems: Implement IDS/IPS solutions to monitor network traffic for suspicious activities. 

Conclusion 

The resurgence of TeamTNT’s attacks on CentOS VPS environments serves as a critical reminder for organizations to take cyber threats seriously. As cloud technologies evolve, so do the tactics of threat actors, highlighting the urgent need for enhanced security measures. By implementing best practices and remaining vigilant, organizations can significantly reduce their risk of falling victim to cryptojacking and other malicious activities. 

The digital landscape is continually changing, and proactive security strategies are essential for safeguarding valuable resources. 

Frequently Asked Questions (FAQs) about TeamTNT Hackers Targeting VPS Servers

​​References 

​​Baran, G. (2024, September 20). TeamTNT Hackers Attacking VPS Servers Running CentOS. Retrieved from Cyber Security News: https://cybersecuritynews.com/vps-servers-running-centos-under-attack/ 

​​​