In an e mail, Aikido researcher Charlie Eriksen mentioned the canister was taken down Sunday night time and is not accessible.
“It wasn’t as dependable/untouchable as they anticipated,” Eriksen wrote. “However for some time, it will have wiped programs if contaminated.”
Like earlier TeamPCP malware, CanisterWorm, as Aikido has named the malware, targets organizations’ CI/CD pipelines used for fast improvement and deployment of software program.
“Each developer or CI pipeline that installs this bundle and has an npm token accessible turns into an unwitting propagation vector, Eriksen wrote. “Their packages get contaminated, their downstream customers set up these, and if any of them have tokens, the cycle repeats.”
Because the weekend progressed, CanisterWorm was up to date so as to add an extra payload: a wiper that targets machines completely in Iran. When the up to date worm infects machines, it checks if the machine is within the Iranian timezone or is configured to be used in that nation. When both situation was met, the malware not activated the credential stealer and as a substitute triggered a novel wiper that TeamPCP builders named Kamikaze. Eriksen mentioned in an e mail that there’s no indication but that the worm brought on precise harm to Iranian machines, however that there was “clear potential for large-scale affect if it achieves lively unfold.”
Eriksen mentioned Kamikaze’s “choice tree is straightforward and brutal.”
- Kubernetes + Iran: Deploy a DaemonSet that wipes each node within the cluster
- Kubernetes + elsewhere: Deploy a DaemonSet that installs the CanisterWorm backdoor on each node
- No Kubernetes + Iran:
rm -rf / --no-preserve-root - No Kubernetes + elsewhere: Exit. Nothing occurs.
TeamPCP’s concentrating on of a rustic that the US is presently at struggle with is a curious alternative. Thus far the group’s motivation has been monetary acquire. With no clear connection to financial revenue, the wiper appears out of character for TeamPCP. Eriksen mentioned Aikido nonetheless doesn’t know the motive. He wrote:
Whereas there could also be an ideological element, it may simply as simply be a deliberate try to attract consideration to the group. Traditionally, TeamPCP has gave the impression to be financially motivated, however there are indicators that visibility is changing into a aim in itself. By going after safety instruments and open-source initiatives, together with Checkmarx as of immediately, they’re sending a transparent and deliberate sign.
The hack that retains on giving
Final week’s supply-chain compromise of Trivy was made potential by a earlier compromise of Aqua Safety in late February. Though the corporate’s incident response was supposed to switch all compromised credentials, the rotation was incomplete, permitting TeamPCP to take management of the GitHub account for distributing the vulnerability scanner. Aqua Safety mentioned it was performing a extra thorough credential purge in response.
