Self-Propagating Malware Poisons Open Source Software, Wipes Iran-Based Machines (arstechnica.com) 47
An anonymous reader quotes a report from Ars Technica: A new hacking group has been rampaging the Internet in a persistent campaign that spreads a self-propagating and never-before-seen backdoor -- and curiously a data wiper that targets Iranian machines. The group, tracked under the name TeamPCP, first gained visibility in December, when researchers from security firm Flare observed it unleashing a worm that targeted cloud-hosted platforms that weren't properly secured. The objective was to build a distributed proxy and scanning infrastructure and then use it to compromise servers for exfiltrating data, deploying ransomware, conducting extortion, and mining cryptocurrency. The group is notable for its skill in large-scale automation and integration of well-known attack techniques.
More recently, TeamPCP has waged a relentless campaign that uses continuously evolving malware to bring ever more systems under its control. Late last week, it compromised virtually all versions of the widely used Trivy vulnerability scanner in a supply-chain attack after gaining privileged access to the GitHub account of Aqua Security, the Trivy creator. Over the weekend, researchers said they observed TeamPCP spreading potent malware that was also worm-enabled, meaning it had the potential to spread to new machines automatically, with no interaction required of victims behind the keyboard. [...]
As the weekend progressed, CanisterWorm [as Aikido has named the malware] was updated to add an additional payload: a wiper that targets machines exclusively in Iran. When the updated worm infects machines, it checks if the machine is in the Iranian timezone or is configured for use in that country. When either condition was met, the malware no longer activated the credential stealer and instead triggered a novel wiper that TeamPCP developers named Kamikaze. Eriksen said in an email that there's no indication yet that the worm caused actual damage to Iranian machines, but that there was "clear potential for large-scale impact if it achieves active spread." It's unclear what the motive is for TeamPCP. Aikido researcher Charlie Eriksen wrote: "While there may be an ideological component, it could just as easily be a deliberate attempt to draw attention to the group. Historically, TeamPCP has appeared to be financially motivated, but there are signs that visibility is becoming a goal in itself. By going after security tools and open-source projects, including Checkmarx as of today, they are sending a clear and deliberate signal."
More recently, TeamPCP has waged a relentless campaign that uses continuously evolving malware to bring ever more systems under its control. Late last week, it compromised virtually all versions of the widely used Trivy vulnerability scanner in a supply-chain attack after gaining privileged access to the GitHub account of Aqua Security, the Trivy creator. Over the weekend, researchers said they observed TeamPCP spreading potent malware that was also worm-enabled, meaning it had the potential to spread to new machines automatically, with no interaction required of victims behind the keyboard. [...]
As the weekend progressed, CanisterWorm [as Aikido has named the malware] was updated to add an additional payload: a wiper that targets machines exclusively in Iran. When the updated worm infects machines, it checks if the machine is in the Iranian timezone or is configured for use in that country. When either condition was met, the malware no longer activated the credential stealer and instead triggered a novel wiper that TeamPCP developers named Kamikaze. Eriksen said in an email that there's no indication yet that the worm caused actual damage to Iranian machines, but that there was "clear potential for large-scale impact if it achieves active spread." It's unclear what the motive is for TeamPCP. Aikido researcher Charlie Eriksen wrote: "While there may be an ideological component, it could just as easily be a deliberate attempt to draw attention to the group. Historically, TeamPCP has appeared to be financially motivated, but there are signs that visibility is becoming a goal in itself. By going after security tools and open-source projects, including Checkmarx as of today, they are sending a clear and deliberate signal."
No chance any Israelis involved, is there? (Score:4, Interesting)
Re: (Score:2, Interesting)
Israel has zero hackers working on trying to damage the Iranian nuclear program... right?
And maybe that's exactly what the creators of that malware want you to think.
Re: (Score:1, Insightful)
And ultimately funded by the USA thanks to the billions we give to Israel. Thanks AIPAC https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: No chance any Israelis involved, is there? (Score:1)
This is what coward trolls say then they have no facts to work with. I thought the paid Israeli trolls were all huddled in bunkers now.
Re: (Score:1)
There's obviously a few paid pro-Israel trolls still out and about. Just based on what I've read here, US and Israeli propaganda is swamping Slashdot. There's openly pro-Israel and Anonymous Coward pro-Israel. If you want to be anti-Israel, though, you'd better post as an AC, or you're going to be labeled "anti-Semitic" faster than you can blink.
Re: (Score:1)
aww, I hurt its feelings (Score:2)
Nobody who wants to bring on the end times should be trusted with anything, ever, in any situation.
Re: (Score:1)
Sure thing buddy. People calling you an antisemite are obviously part of an organized and evil plot powered by evil jew gold. It has nothing to do with the fact you're out here claiming everyone who isn't fanatically anti-israel must be part of an organized and evil plot powered by evil jew gold.
Re: (Score:2)
Ah yes the classic "jew gold" trope. Everybody who doesn't participate in your judenhass antisemitismus "antizionism" must be under the sway of the evil jew gold. It can't possibly be that frothing at the mouth over one of the smallest domestic lobby groups in the US out of an assumption that Israel absolutely positively must be involved in every single nefarious thing happening in the world is a sign someone just hates jews.
Re: (Score:3)
Notice the number of commas in this figure. https://foreignassistance.gov/... [foreignassistance.gov]
Re: (Score:3)
Re: (Score:2)
You mean the billions that are contractually required to go straight to American companies, as opposed to the billions in cold hard cash given to Arab dictators to build palaces, fund terrorism, and buy off American universities?
Re: (Score:1)
But we all remember Stuxnet..... That was Israel and the U.S. that did that one. So maybe not.....
Re: (Score:2)
Re: No chance any Israelis involved, is there? (Score:3, Funny)
None. This is entirely Russia, with its single washing machine CPU.
Re: (Score:2)
New Russian CPU is BIGGEST and BEST! 1000x size of Intel CPU!
Re: No chance any Israelis involved, is there? (Score:2)
Oh no! Will they threaten my democracy with it?
Re: (Score:2)
Newest Russian CPU crush you like bug!
Re: (Score:2, Funny)
Can't wait! (Score:4, Insightful)
How long will it be before malware such as this is used to (further) poison LLMs? Is there the potential to make LLM outputs strategically false and/or propagandistic and/or psychologically damaging?
IANAP, so I don't know if these things are feasible. But if I was a black-hat hacker with a grudge - or one who simply gets off on wreaking havoc - I'd be pursuing that course of action.
Re: Can't wait! (Score:3)
You can only account for so many poisoned records before your accounting strategy displaces the actual data.
Iran is offline (Score:2)
From what I see, Iran is completely offline at this point, right?
Re: (Score:2)
That's what it seems. After the internet shutdown of January 8th, there hasn't been a large scale restoration of online access there
Re: (Score:2, Offtopic)
Re: Iran is offline (Score:2)
On the gripping hand, we don't want them fixing their shit after we broke it in the first place. If we wanted a secular Iran we could have simply done nothing we've done to them for many decades. This was not what we wanted.
Re: (Score:2)
Re: (Score:2)
Except for governments, rulers, elites etc, I presume. That is, perfect targets for this sort of malware.
is the "lesson" (Score:2)
I'm admittedly not knowledgeable on Kuberwhatever, but I always look to reduce dependencies. Talked to a few techies I know in the middle of corporate servitude, the opinion was split on whether K was really and truly useful vs. really and truly just a dependency trap for lazy devops.
layers and layers of moving parts = more vulns, IMHO
Re:is the "lesson" (Score:4, Informative)
Kubermetes is like Docker. They're container systems. Basically they use Linux namespaces to let you run an independent userspace to your current userspace. This can have valuable benefits - like needing to run an ancient userspace for some tool on modern hardware (e.g., if you need an Ubuntu 14.04 LTS environment for some reason, it's basically impossible to run it on modern hardware without building your own kernel and stuff).
All Linux is doing is standard app level virtualization - you know the same protections that keep your web browser from interfering with your word processor.
Containers have their uses, and are far more lightweight than VMs since it's just a few additional Linux processes in the end (they all run on the host kernel natively). They are still vulnerable to the same inter-process attacks because to Linux, they're just another process running on the same machine. Kubernetes and Docker just are applications that help manage the Linux namespaces and virtual file systems
Re: (Score:2)
I use VM's for running my old ubuntu web server that was all configured and working
GPL virus infect YOU! (Score:1)
Good job, malware dudes. Your malware is now GPLed. Enjoy seeing it used without payment. Now we have our own malware (thanks!) so why do we still need you?