'CanisterWorm' Springs Wiper Attack Targeting Iran
A financially motivated cybercrime group called TeamPCP has launched a wiper attack targeting Iran, using a worm that spreads through cloud services and destroys data on infected systems. The attack leverages compromised infrastructure and exploits misconfigurations, with a focus on cloud environments.
Abstract A new cybercrime group named TeamPCP is conducting a data theft and extortion campaign targeting Iran with a worm that wipes data on infected systems. | 0:54Original | |
TeamPCP's Attack Strategy TeamPCP specializes in large-scale automation and integration of known attack techniques to exploit cloud infrastructure vulnerabilities rather than endpoints. | 1:42Explained | |
Supply Chain Attack on Trivy TeamPCP executed a supply chain attack on the Trivy vulnerability scanner, injecting credential-stealing malware into its official GitHub releases. | 0:26Original | |
Wiper Attack Deployment The same infrastructure used in the Trivy attack was leveraged to deploy a new payload that executes a wiper attack targeting systems with Iranian timezone and locale settings. | 0:34Original | |
CanisterWorm Infrastructure TeamPCP utilizes Internet Computer Protocol (ICP) canisters, tamperproof blockchain-based systems, for orchestrating campaigns, making their infrastructure resistant to takedowns. | 0:34Original | |
Bragging and Data Theft Claims TeamPCP members are bragging on Telegram about stealing vast amounts of sensitive data, including from a large pharmaceutical firm, and have compromised numerous GitHub accounts. | 0:31Original | |
GitHub Malware Problem Security experts suggest spammed GitHub messages are used by TeamPCP to keep their malicious code packages prominent in search results, contributing to a growing malware problem on the platform. | 0:32Original | |
Previous Trivy Attack This recent wiper attack follows a previous major supply chain attack on Trivy in late February, known as HackerBot-Claw, which exploited GitHub Actions to steal authentication tokens. | 0:18Original | |
Uncertainty of Wiper Success It is uncertain if TeamPCP's wiper attack succeeded in trashing data, as the payload was active for a short period and rapidly changed, potentially just aiming to gain attention. | 0:43Original | |
Increasing Supply Chain Attacks Supply chain attacks are increasing in frequency as threat actors recognize their efficiency, highlighting the need for improved security measures from both security firms and platforms like GitHub. | 0:32Original | |
KICS Scanner Compromise TeamPCP also pushed credential-stealing malware to the KICS vulnerability scanner from Checkmarx via its compromised GitHub Action on March 23rd. | 0:17Original |