TeamTNT aims to take down cloud-based Docker containers, Kubernetes clusters

A new campaign by cryptojacking threat actor TeamTNT takes down Docker containers and Kubernetes clusters by targeting virtual private server (VPS) cloud infrastructures on the widely used Linux-based CentOS.

In a Sept. 18 blog post, Group-IB researchers explained that the attacks begin with SSH brute force attacks that then upload malicious scripts. The malware in the scripts can disable security features, delete logs, and modify system files while searching for existing miners.

According to the researchers, the malicious scripts also kill cryptocurrency mining processes and remove Docker containers. They also install the Diamorphine rootkit for stealth and root privileges, and then use custom tools to maintain persistence and control.

TeamTNT has been active since at least the fall of 2019 and has been best known for targeting Linux and Redis servers and misconfigured Docker containers. Of late, they have also focused on Kubernetes clusters.

While the researchers did not indicate the full scope of these attacks, security pros said the research shows how the latest cloud-based tools such as Docker and Kubernetes have created new security issues – and how attackers always seem to find ways to exploit these new cloud environments.

Leave a Comment