A brand new marketing campaign by cryptojacking menace actor TeamTNT takes down Docker containers and Kubernetes clusters by focusing on digital personal server (VPS) cloud infrastructures on the extensively used Linux-based CentOS.
In a Sept. 18 weblog submit, Group-IB researchers defined that the assaults start with SSH brute drive assaults that then add malicious scripts. The malware within the scripts can disable security measures, delete logs, and modify system recordsdata whereas trying to find present miners.
Based on the researchers, the malicious scripts additionally kill cryptocurrency mining processes and take away Docker containers. Additionally they set up the Diamorphine rootkit for stealth and root privileges, after which use customized instruments to take care of persistence and management.
TeamTNT has been energetic since no less than the autumn of 2019 and has been greatest recognized for focusing on Linux and Redis servers and misconfigured Docker containers. Of late, they’ve additionally targeted on Kubernetes clusters.
Whereas the researchers didn’t point out the complete scope of those assaults, safety execs mentioned the analysis reveals how the most recent cloud-based instruments comparable to Docker and Kubernetes have created new safety points – and the way attackers all the time appear to seek out methods to use these new cloud environments.
Jason Soroko, senior fellow at Sectigo, identified that CentOS, significantly model 7, stays extensively used regardless of its discontinuation, and lots of VPS suppliers nonetheless supply it. Soroko added that TeamTNT’s give attention to CentOS VPS situations is important as a result of these techniques usually lack up-to-date safety patches, making them susceptible.
“The menace group’s potential to use these weaknesses in cloud environments underscores critical safety points inherent in cloud applied sciences, comparable to Kubernetes and Docker,” mentioned Soroko. “TeamTNT’s campaigns display that they’ll successfully compromise, management, and disable cloud infrastructures, highlighting the pressing want for enhanced safety measures in cloud deployments.”
Callie Guenther, senior supervisor of cyber menace analysis at Essential Begin, mentioned TeamTNT’s resurgence reveals a transparent give attention to exploiting vulnerabilities in cloud environments, significantly focusing on older, but nonetheless extensively used techniques like CentOS on VPS situations.
Guenther, an SC Media columnist, added that regardless of CentOS’s official discontinuation, many organizations and VPS suppliers have but to totally transition, leaving these techniques uncovered. TeamTNT has capitalized on this by launching SSH brute drive assaults, disabling security measures, and utilizing the Diamorphine rootkit to ascertain persistence and stealth.
“The actual concern, nevertheless, is the rising complexity of securing cloud infrastructures,” mentioned Guenther. “With cloud-native applied sciences like Kubernetes and Docker, attackers can exploit misconfigurations and weak safety practices to take management of assets. Safety groups ought to prioritize strengthening SSH configurations, monitoring for rootkits, and making certain containerized environments are secured to mitigate these rising threats.”