Security researchers have recently discovered new evidence of ongoing TeamTNT activity in 2023 [4], contradicting previous assumptions that the group had disappeared in 2022 [4].
Description
TeamTNT [1] [2] [3] [4], a well-known threat actor specializing in cryptojacking attacks, has been focusing on exploiting vulnerable public instances of Redis, Kubernetes [3] [4], and Docker [4]. Their tactics involve stealing credentials and installing backdoors to compromise these systems. A recent report by Group-IB has highlighted a new campaign targeting VPS cloud infrastructures running CentOS operating systems [4]. This campaign is initiated through SSH brute force attacks [4], enabling the threat actor to upload a malicious script that disables security features [4], deletes logs [3] [4], modifies system files [3] [4], disrupts cryptocurrency mining processes [1] [3] [4], removes Docker containers [3] [4], and updates DNS settings [4]. Furthermore, the malicious script deploys the “Diamorphine” rootkit to gain stealth and root privileges, showcasing TeamTNT’s proficiency in automating attacks and evading detection. The use of the Diamorphine rootkit allows for the concealment of malicious activities and establishes persistent remote access, highlighting the sophistication of TeamTNT’s strategies. It is crucial for organizations to remain vigilant, update security measures [2] [3], and monitor for any signs of unauthorized access [1], particularly on CentOS-based servers [1].
Conclusion
The persistence and evolving tactics of TeamTNT underscore the importance of proactive security measures and continuous monitoring to safeguard against such threats. Organizations must prioritize security updates, implement robust protocols, and enhance detection capabilities to mitigate the risks posed by threat actors like TeamTNT. As cyber threats continue to evolve, staying ahead of adversaries and adapting security practices accordingly is essential to protect sensitive data and infrastructure.
References
[1] https://rhyno.io/blogs/cybersecurity-news/new-cryptojacking-campaign-strikes-centos/
[2] https://thehackernews.com/2024/09/new-teamtnt-cryptojacking-campaign.html
[3] https://www.scmagazine.com/news/teamtnt-aims-to-take-down-cloud-based-docker-containers-kubernetes-clusters
[4] https://www.infosecurity-magazine.com/news/cryptojacking-gang-teamtnt-comeback/
