The threat actor TeamPCP executed a supply-chain attack by compromising the GitHub account of Aqua Security to inject malware into virtually all versions of the open-source Trivy vulnerability scanner. The campaign deploys a self-propagating backdoor to build a distributed attack infrastructure for data exfiltration, ransomware, and cryptomining, and includes a data wiper component targeting Iranian systems. No specific patch version is provided; users of the compromised Trivy software should seek official remediation guidance from Aqua Security.
A new hacking group has been rampaging the Internet in a persistent campaign that spreads a self-propagating and never-before-seen backdoor—and curiously a data wiper that targets Iranian machines. The group, tracked under the name TeamPCP, first gained visibility in December, when researchers from security firm Flare observed it unleashing a worm that targeted cloud-hosted platforms that weren’t properly secured. The objective was to build a distributed proxy and scanning infrastructure and then use it to compromise servers for exfiltrating data, deploying ransomware, conducting extortion, and mining cryptocurrency. The group is notable for its skill in large-scale automation and integration of well-known attack techniques. Relentless and constantly evolving More recently, TeamPCP has waged a relentless campaign that uses continuously evolving malware to bring ever more systems under its control. Late last week, it compromised virtually all versions of the widely used Trivy vulnerability scanner in a supply-chain attack after gaining privileged access to the GitHub account of Aqua Security, the Trivy creator. Read full article Comments