The TeamPCP hacking group has launched an attack targeting Kubernetes clusters with a malicious script designed to wipe systems configured for Iran. This new campaign uses the same command-and-control (C2), backdoor code, and drop path as seen in the 'CanisterWorm' incidents but introduces a targeted destructive payload aimed specifically at Iranian systems. If the system matches Iran's timezone or locale, the malware deploys a DaemonSet named ‘Host-provisioner-iran’ which runs an Alpine container to delete all top-level directories on the host filesystem and forces a reboot. In non-Iranian systems with Kubernetes present, it installs the CanisterWorm backdoor as a systemd service for persistence. On Iranian systems without Kubernetes, the malware uses the rm -rf --no-preserve-root command to wipe files. This highlights the increasing sophistication of geopolitical cyber-attacks targeting specific regions and demonstrates the critical need for robust security measures in Kubernetes environments.
- Kubernetes clusters
- Alpine Linux containers
- Docker API
- Apply Kubernetes security patches by running 'kubectl apply -f
' to ensure all nodes are up-to-date. - Disable passwordless sudo for non-root users by editing '/etc/sudoers' and removing the NOPASSWD: tag from relevant user entries.
- Configure strict host key checking in SSH settings by adding 'StrictHostKeyChecking=yes' in '/etc/ssh/sshd_config'.
- Enable authentication requirements on Docker API port 2375 to prevent unauthorized access.
The impact is significant for homelab stacks using Kubernetes, Alpine Linux containers, and Docker. Specifically, systems running any version of these technologies are at risk without proper security configurations.