While most of the team's activities so far seemed to be related to obtaining money, the latest version of the software dubbed CanisterWorm will completely erase the contents of any Iranian machine it finds itself in, by detecting the system's time zone. Any Kubernetes hosts will delete every machine in the cluster, while standard VMs of whichever type get a good ol' "rm -rf / –no-preserve-root" — no questions asked. If the machine is not Iranian, the infection and spread continue as usual.
You may like Iran hacking group claims attack on med-tech company Stryker Invisible malicious code attacks 151 GitHub repos and VS Code Bug in Nitrogen ransomware locks victims' data away forever There's seemingly no immediate motivation for the data wipe, especially given a dead host isn't much use to a parasite. In a statement to KrebsOnSecurity, Aikido researcher Charlie Eriksen said that the group was apparently just showing off, and hypothesized that it may hold credentials to a much larger number of systems than those that participated in the attack.
The latest attack started over the past weekend , kickstarted by a hack on the Trivy open-source vulnerability scanner software that many developers use as part of their software publishing infrastructure. Node.js (npm) packages that used Trivy got their publishing credentials harvested, and from there the malware spread to other npm packages and set up a multitude of background processes masquerading as standard system services.
What makes this particular attack novel on the technical side is that the command-and-control infrastructure — the "control panel" of the malware network operators — was a dead drop published on an ICP (Internet Compute Project) canister, hence the CanisterWorm name. A canister is a type of smart contract, a small blockchain-hosted set of code and data that is particularly resilient to being brought down, due to its distributed nature.
Contrary to cryptocurrency blockchains like Bitcoin or Ethereum, participants of the ICP must undergo a strict identification and vetting process and provide substantial hardware to run it. Estimates pin the number of participating machines at around 1400 (half active, half on standby) across over 100 node providers and 34 countries.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/canisterworm-malware-wipes-iranian-machines-for-no-apparent-reason-sophisticated-attack-spreads-through-npm-packages-and-uses-icp-canister-as-control-surface#main
- https://www.tomshardware.com
- Apple discontinues Mac Pro after 20 years — system had been stuck in stasis with M2 Ultra since 2023
- Three individuals charged with attempting to break US sanctions on AI chips — damning text messages between conspirators reveal intention to find clients to ‘ac
- Corsair's discounted 32GB Vengeance is the cheapest DDR5 on the market by a big margin — $300 sale price is $60 less than next best option
- Into the Omniverse: NVIDIA GTC Showcases Virtual Worlds Powering the Physical AI Era
- Corsair's Scimitar RGB Elite gaming mouse hits an all-time low of $49 — 17 programmable buttons built for MMO gaming
Informational only. No financial advice. Do your own research.