CP
cyberpings
Malware & RansomwareHIGH

CanisterWorm - New Wiper Attack Targets Iran's Cloud Services

KoKrebs on Security
CanisterWormTeamPCPTrivyAqua SecurityKubernetes
🎯

Basically, a new computer worm is deleting data on systems in Iran.

Quick Summary

A new wiper attack called CanisterWorm is targeting Iranian systems through cloud services. TeamPCP, the group behind it, is exploiting vulnerabilities to wipe data. This poses serious risks for organizations in the region, highlighting the need for enhanced security measures.

What Happened

A financially motivated cybercrime group, known as TeamPCP, has launched a wiper attack targeting systems in Iran. This new worm, dubbed CanisterWorm, spreads through poorly secured cloud services and is designed to wipe data on systems that use Iran's time zone or have Farsi set as the default language. The attack began over the weekend, indicating a strategic move by the group to exploit ongoing tensions in the region.

The worm exploits vulnerabilities in cloud infrastructure, specifically targeting misconfigured Docker APIs, Kubernetes clusters, and Redis servers. TeamPCP has been active since December 2025, focusing on corporate cloud environments. Their approach relies on the automation of existing attack techniques, allowing them to compromise systems at scale.

Who's Being Targeted

The primary targets of CanisterWorm are organizations operating within Iran or those utilizing cloud services configured to match Iranian settings. This includes businesses that rely on Azure and AWS, which account for the majority of compromised servers. The group's choice of targets reflects a broader trend of cybercriminals leveraging geopolitical conflicts to further their financial motives.

Experts believe that the wiper attack could have devastating effects on the data integrity of affected organizations. If the worm successfully identifies a target in Iran, it can wipe data across entire Kubernetes clusters, posing a significant risk to businesses reliant on these technologies.

Signs of Infection

Organizations should be vigilant for unusual activity, particularly if they operate in cloud environments. Signs of infection may include unexpected data loss, unusual access patterns, or alerts from security tools regarding compromised cloud services. The worm's self-propagating nature means it can spread quickly, making early detection crucial.

In addition to the wiper component, TeamPCP has been known to steal sensitive data, including SSH keys and cloud credentials. This dual threat of data theft and destruction makes CanisterWorm particularly dangerous for organizations in the region.

How to Protect Yourself

To mitigate the risks posed by CanisterWorm, organizations should take immediate action to secure their cloud environments. This includes:

  • Reviewing cloud configurations: Ensure that all services are properly secured and that unnecessary access is restricted.
  • Implementing monitoring solutions: Use security tools that can detect anomalies in cloud activity and alert administrators to potential breaches.
  • Educating staff: Train employees on recognizing phishing attempts and securing credentials, as social engineering tactics may accompany such attacks.

As the cyber threat landscape continues to evolve, staying informed about emerging threats like CanisterWorm is essential for maintaining robust cybersecurity practices.

🔒 Pro insight: The automation and scale of TeamPCP's attacks signal a troubling trend in cloud security, necessitating immediate defensive measures from affected organizations.

Original article from

Krebs on Security · BrianKrebs

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Malware - Defender Stops GPO-Based Ransomware Attack

Microsoft Defender thwarted a ransomware attack that exploited Group Policy Objects. The proactive defense protected 700 devices, preventing widespread encryption. This incident underscores the importance of advanced security measures.

Microsoft Security Blog·
HIGHMalware & Ransomware

MioLab - New Malware Targets macOS Users with ClickFix

A new malware named MioLab is targeting macOS users, stealing sensitive data through advanced techniques. This threat affects developers and cryptocurrency investors alike. Understanding and mitigating the risks is essential for protection.

Cyber Security News·
HIGHMalware & Ransomware

Ransomware Attack - Trio-Tech International Reports Incident

What Happened Trio-Tech International, a California-based semiconductor testing company, reported a ransomware attack affecting its subsidiary in Singapore. The attack was discovered on March 11, 2026, and initially deemed non-material. However, by March 18, the situation escalated, resulting in unauthorized data disclosure. This prompted the company to reassess the incident's significance, leading to a filing with the Securities and

The Record·
HIGHMalware & Ransomware

Oblivion RAT - New Android Spyware Operation Uncovered

A new Android RAT, Oblivion, is turning fake Play Store updates into a full-scale spyware operation. This malware poses severe risks to users' privacy and security. Stay alert and protect your devices from this sophisticated threat.

Cyber Security News·
HIGHMalware & Ransomware

Ransomware Attack - Trio-Tech's Singapore Subsidiary Targeted

Trio-Tech's subsidiary in Singapore has been hit by a ransomware attack, encrypting files and leading to potential data exposure. The company is actively responding and investigating the incident, emphasizing the need for robust cybersecurity measures.

SecurityWeek·
HIGHMalware & Ransomware

Malware - Russia-linked Operation Collapses After Arrest

An Android malware operation called ClayRat has collapsed after security flaws and the developer's arrest. This incident raises concerns about the ongoing cyber threats. Users are urged to stay vigilant against such malware attacks.

The Record·