A profit-driven cybercrime gang is trying to insert itself into the Israel-Iran conflict by releasing a destructive worm that propagates via poorly secured cloud services and erases data on systems set to Iran’s time zone or using Farsi as the default language. Security researchers say the wiper attacks against Iran began over the past weekend and are the work of a relatively new group calling itself TeamPCP. In December 503, the group started attacking corporate cloud environments with a self-propagating worm that targeted exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. TeamPCP then tried to move laterally across victim networks, stealing login credentials and extorting victims via Telegram. A snippet of the malicious CanisterWorm that hunts for and wipes data on systems set to Iran’s timezone or configured with Farsi as the default language. Image: Aikido. In a January profile of TeamPCP, security firm Flare reported that the group focuses on weaponizing exposed control planes instead of attacking endpoints. The actors primarily target cloud infrastructure rather than end-user devices, with Azure (61%) and AWS (36%) making up 97% of the compromised servers. “TeamPCP’s strength does not come from novel exploits or original malware, but from the large-scale automation and integration of well-known attack techniques,” wrote Flare’s Assaf Morag. The group transforms existing vulnerabilities, misconfigurations, and repurposed tools into a cloud-native exploitation platform, converting exposed infrastructure into a self-propagating criminal ecosystem. On March 19, TeamPCP carried out a supply chain attack on Aqua Security’s Trivy vulnerability scanner by embedding credential-stealing malware into the official releases distributed via GitHub Actions. Aqua Security has since removed the malicious files, but security firm Wiz reports that the attackers managed to release harmful versions which stole SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets from users. Over the weekend, the same TeamPCP infrastructure previously used in the Trivy attack was repurposed to deliver a new malicious payload that triggers a wiper attack if the victim’s timezone and locale indicate they are in Iran, according to Aikido security researcher Charlie Eriksen.
Krebs on Security