While most of the team's activities so far seemed to be related to obtaining money, the latest version of the software dubbed CanisterWorm will completely erase the contents of any Iranian machine it finds itself in, by detecting the system's time zone. Any Kubernetes hosts will delete every machine in the cluster, while standard VMs of whichever type get a good ol' "rm -rf / –no-preserve-root" — no questions asked. If the machine is not Iranian, the infection and spread continue as usual.
You may like Iran hacking group claims attack on med-tech company Stryker Invisible malicious code attacks 151 GitHub repos and VS Code Bug in Nitrogen ransomware locks victims' data away forever There's seemingly no immediate motivation for the data wipe, especially given a dead host isn't much use to a parasite. In a statement to KrebsOnSecurity, Aikido researcher Charlie Eriksen said that the group was apparently just showing off, and hypothesized that it may hold credentials to a much larger number of systems than those that participated in the attack.
The latest attack started over the past weekend , kickstarted by a hack on the Trivy open-source vulnerability scanner software that many developers use as part of their software publishing infrastructure. Node.js (npm) packages that used Trivy got their publishing credentials harvested, and from there the malware spread to other npm packages and set up a multitude of background processes masquerading as standard system services.
What makes this particular attack novel on the technical side is that the command-and-control infrastructure — the "control panel" of the malware network operators — was a dead drop published on an ICP (Internet Compute Project) canister, hence the CanisterWorm name. A canister is a type of smart contract, a small blockchain-hosted set of code and data that is particularly resilient to being brought down, due to its distributed nature.
Contrary to cryptocurrency blockchains like Bitcoin or Ethereum, participants of the ICP must undergo a strict identification and vetting process and provide substantial hardware to run it. Estimates pin the number of participating machines at around 1400 (half active, half on standby) across over 100 node providers and 34 countries.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/canisterworm-malware-wipes-iranian-machines-for-no-apparent-reason-sophisticated-attack-spreads-through-npm-packages-and-uses-icp-canister-as-control-surface#main
- https://www.tomshardware.com
- SK hynix places record $8 billion order for ASML EUV lithography machines — should pay for up to 30 EUV machines over two years, serving HBM and advanced DRAM p
- Unlock the ultimate PC maintenance combo with this electric screwdriver and air duster at a huge $70 saving right now — $89 Amazon bundle pairs Hoto's epic 25-b
- Geekbench 6 warns about inconsistent benchmarking performance from new Core Ultra 200S Plus chips — says Intel's IPC boosting Binary Optimization Tool modifies
- Microsoft and Nvidia launch AI partnership to speed up nuclear power plant permitting and construction — simulation tools and generative models could hasten his
- Kentucky farm family rejects $26 million offer for 600 acres of land from unnamed AI data center suitor — declines 7x offer, wants to ‘Stay and hold and feed a
Informational only. No financial advice. Do your own research.