A new campaign by cryptojacking threat actor TeamTNT takes down Docker containers and Kubernetes clusters by targeting virtual private server (VPS) cloud infrastructures on the widely used Linux-based CentOS.
In a Sept. 18 blog post, Group-IB researchers explained that the attacks begin with SSH brute force attacks that then upload malicious scripts. The malware in the scripts can disable security features, delete logs, and modify system files while searching for existing miners.
According to the researchers, the malicious scripts also kill cryptocurrency mining processes and remove Docker containers. They also install the Diamorphine rootkit for stealth and root privileges, and then use custom tools to maintain persistence and control.
TeamTNT has been active since at least the fall of 2019 and has been best known for targeting Linux and Redis servers and misconfigured Docker containers. Of late, they have also focused on Kubernetes clusters.
While the researchers did not indicate the full scope of these attacks, security pros said the research shows how the latest cloud-based tools such as Docker and Kubernetes have created new security issues – and how attackers always seem to find ways to exploit these new cloud environments.
Jason Soroko, senior fellow at Sectigo, pointed out that CentOS, particularly version 7, remains widely used despite its discontinuation, and many VPS providers still offer it. Soroko added that TeamTNT’s focus on CentOS VPS instances is significant because these systems often lack up-to-date security patches, making them vulnerable.
“The threat group’s ability to exploit these weaknesses in cloud environments underscores serious security issues inherent in cloud technologies, such as Kubernetes and Docker,” said Soroko. “TeamTNT’s campaigns demonstrate that they can effectively compromise, control, and disable cloud infrastructures, highlighting the urgent need for enhanced security measures in cloud deployments.”
Callie Guenther, senior manager of cyber threat research at Critical Start, said TeamTNT’s resurgence shows a clear focus on exploiting vulnerabilities in cloud environments, particularly targeting older, yet still widely used systems like CentOS on VPS instances.
Guenther, an SC Media columnist, added that despite CentOS's official discontinuation, many organizations and VPS providers have yet to fully transition, leaving these systems exposed. TeamTNT has capitalized on this by launching SSH brute force attacks, disabling security features, and using the Diamorphine rootkit to establish persistence and stealth.
“The real concern, however, is the growing complexity of securing cloud infrastructures,” said Guenther. “With cloud-native technologies like Kubernetes and Docker, attackers can exploit misconfigurations and weak security practices to take control of resources. Security teams should prioritize strengthening SSH configurations, monitoring for rootkits, and ensuring containerized environments are secured to mitigate these emerging threats.”
