Self-propagating malware poisons open supply software program and wipes Iran-based machines
In an e mail, Aikido researcher Charlie Eriksen mentioned the canister was taken down Sunday night time and is now not obtainable.
“It wasn’t as dependable/untouchable as they anticipated,” Eriksen wrote. “However for some time, it will have wiped methods if contaminated.”
Like earlier TeamPCP malware, CanisterWorm, as Aikido has named the malware, targets organizations’ CI/CD pipelines used for fast improvement and deployment of software program.
“Each developer or CI pipeline that installs this package deal and has an npm token accessible turns into an unwitting propagation vector, Eriksen wrote. “Their packages get contaminated, their downstream customers set up these, and if any of them have tokens, the cycle repeats.”
Because the weekend progressed, CanisterWorm was up to date so as to add an extra payload: a wiper that targets machines solely in Iran. When the up to date worm infects machines, it checks if the machine is within the Iranian timezone or is configured to be used in that nation. When both situation was met, the malware now not activated the credential stealer and as an alternative triggered a novel wiper that TeamPCP builders named Kamikaze. Eriksen mentioned in an e mail that there’s no indication but that the worm prompted precise injury to Iranian machines, however that there was “clear potential for large-scale affect if it achieves energetic unfold.”
Eriksen mentioned Kamikaze’s “choice tree is easy and brutal.”
- Kubernetes + Iran: Deploy a DaemonSet that wipes each node within the cluster
- Kubernetes + elsewhere: Deploy a DaemonSet that installs the CanisterWorm backdoor on each node
- No Kubernetes + Iran:
rm -rf / --no-preserve-root - No Kubernetes + elsewhere: Exit. Nothing occurs.
TeamPCP’s focusing on of a rustic that the US is presently at battle with is a curious alternative. So far the group’s motivation has been monetary achieve. With no clear connection to financial revenue, the wiper appears out of character for TeamPCP. Eriksen mentioned Aikido nonetheless doesn’t know the motive. He wrote:
Whereas there could also be an ideological part, it might simply as simply be a deliberate try to attract consideration to the group. Traditionally, TeamPCP has seemed to be financially motivated, however there are indicators that visibility is changing into a objective in itself. By going after safety instruments and open-source initiatives, together with Checkmarx as of at present, they’re sending a transparent and deliberate sign.
The hack that retains on giving
Final week’s supply-chain compromise of Trivy was made attainable by a earlier compromise of Aqua Safety in late February. Though the corporate’s incident response was supposed to interchange all compromised credentials, the rotation was incomplete, permitting TeamPCP to take management of the GitHub account for distributing the vulnerability scanner. Aqua Safety mentioned it was performing a extra thorough credential purge in response.
