CanisterWorm Wiper Campaign Targets Iranian Systems via Cloud Misconfigurations
What Happened – A financially‑motivated group identified as TeamPCP deployed the self‑propagating “CanisterWorm” that scans for cloud workloads set to Iran’s time zone or Farsi locale and wipes data on the affected nodes. The worm spreads through exposed Docker APIs, Kubernetes clusters, Redis servers and the React2Shell vulnerability, and was also used in a supply‑chain attack against Aqua Security’s Trivy scanner.
Why It Matters for TPRM –
- Cloud‑native supply‑chain compromises can introduce malicious code into trusted third‑party tools, jeopardizing all downstream customers.
- Misconfigured cloud services (Docker, Kubernetes, Redis) are a common attack surface; vendors must prove hardening and continuous monitoring.
- Wiper payloads cause immediate service disruption, turning a credential‑theft operation into a destructive campaign that can affect business continuity.
Who Is Affected – Organizations using public‑cloud infrastructure (AWS, Azure) with exposed control planes, especially those running Kubernetes or Docker workloads in the Middle East.
Recommended Actions –
- Verify that all cloud‑hosted services are behind authentication and have network‑level segmentation.
- Conduct a third‑party risk review of any SaaS tools that integrate with your CI/CD pipelines (e.g., vulnerability scanners).
- Deploy continuous configuration‑drift detection and enforce least‑privilege IAM policies.
Technical Notes – The worm leverages known vulnerabilities (React2Shell) and misconfigurations in Docker/Kubernetes APIs, then uses an Internet Computer Protocol (ICP) canister to coordinate propagation. It also injected credential‑stealing malware into Trivy releases via compromised GitHub Actions, harvesting SSH keys, cloud tokens and crypto wallets. Source: Krebs on Security