Recent investigations suggest that the well-known threat group “TeamTNT”, may be back in operation. The group that is infamous for targeting cloud environments like Docker, Kubernetes, and Redis, has left traces in new attacks observed from 2023 through 2024, raising concerns that they—or a copycat—are involved in ongoing campaigns.
The Beginning of TeamTNT
TeamTNT emerged in 2019, focusing on public cloud services to carry out cryptojacking attacks, which attack victims’ systems to mine cryptocurrency. Using homebrewed tools, they gained unauthorized access to public-facing instances of Redis and Docker, stealing credentials and installing backdoors. After years of damaging operations, the group went quiet in 2022, with no updates to their known profiles or social media presence. Recent analysis by cybersecurity teams suggests the tactics, techniques, and procedures (TTPs) used in attacks throughout 2023 and 2024 resemble those previously attributed to TeamTNT, suggesting a potential return or an imitator group using the same methods.
New Campaigns Targeting VPS Cloud Infrastructures
The latest campaigns have been observed targeting virtual private servers (VPS) running CentOS, with access gained via brute-force attacks on Secure Shell (SSH) services. Once access is obtained, a malicious script is uploaded and executed, which scans for existing cryptocurrency miners, killing any it detects.
Findings:
- The malicious script disables several security features, including the system firewall (iptables), SELinux, and AppArmor, and deletes key system logs, making it difficult for administrators to detect the breach.
- The attackers infiltrate Docker containers by removing any previously installed cryptocurrency miners and deploying their own, while also modifying DNS settings to redirect traffic through Google’s servers to hide their actions.
- The script secures a continuous presence by installing a cron job that downloads updates from a command-and-control (C2) server every 30 minutes, ensuring that even if the malicious code is removed, it will reinstall itself.
Diamorphine Rootkit Deployment
One of the more advanced techniques used in these attacks is the deployment of the Diamorphine rootkit. This Linux kernel module provides the attackers with hidden access to the compromised system, allowing them to execute commands without detection. The rootkit hides malicious processes once installed, and gives the attackers root access to the system. To secure their foothold, the attackers create a new backdoor user with root privileges. They also modify system attributes using a custom tool named “tntrecht,” which prevents administrators from undoing these changes. The attackers even go as far as locking the system, making recovery efforts improbable without a full reinstallation.
Investigative Findings
Group-IB’s Digital Forensics and Incident Response (DFIR) team led the investigation into these new campaigns, identifying overlaps between the TTPs used in the current attacks and those historically attributed to TeamTNT. The rootkit, combined with the various mechanisms, show a deep understanding of cloud infrastructures, a trademark of TeamTNT’s past campaigns. While it is too early to attribute these attacks to the group, the evidence suggests their involvement. These new developments indicate a focus on attacking cloud environments, targeting those with weak security configurations.
Recommendations
Security experts recommend that organizations using VPS or cloud infrastructures harden their security measures, including:
- Regular updates and patches should be applied to minimize vulnerabilities.
- SSH should be hardened by using key-based authentication and changing the default SSH port to reduce the risk of brute-force attacks.
- Firewall configurations must limit access to necessary services and monitor traffic for irregular patterns to detect potential intrusions.
- Cron job configurations should be regularly reviewed and secured to detect and prevent malicious alterations.
Whether it’s TeamTNT or a copycat group, the return of these tactics reminds us that threats in the cloud space continue to change, and that organizations simply cannot afford to become complacent with their cybersecurity efforts.
Photo credits: maurice norbert, AdobeStock
