Trivy Hack - Infostealer Spreads via Docker, Triggers Wiper

What Happened

Cybersecurity researchers have uncovered a serious supply chain attack involving Trivy, a widely-used open-source vulnerability scanner. Malicious versions of Trivy were distributed via Docker Hub, specifically versions 0.69.4, 0.69.5, and 0.69.6. These versions were pushed without corresponding GitHub releases, signaling a breach in the development process. The last clean version available was 0.69.3, which has now been removed from the container image library.

The attack is linked to a threat actor known as TeamPCP. They exploited a compromised service account to push a credential stealer within the trojanized versions of Trivy and its associated GitHub Actions. This breach has led to a wide-ranging impact, affecting various developer environments and raising alarms about the security of widely-used tools.

Who's Being Targeted

The fallout from this attack is significant, with numerous developers and organizations relying on Trivy for vulnerability scanning now at risk. The attackers have leveraged the stolen data to compromise dozens of npm packages, distributing a self-propagating worm known as CanisterWorm. The nature of the attack indicates that it is not just a one-off incident; rather, it is part of a broader strategy to target cloud infrastructures and development tools.

Moreover, TeamPCP has demonstrated a growing sophistication in their tactics, utilizing compromised credentials to gain access to critical repositories. This has resulted in the defacement of 44 internal repositories associated with Aqua Security, the organization behind Trivy. Each repository was renamed and publicly exposed, highlighting the attackers' intent to showcase their capabilities.

Signs of Infection

Organizations using the affected versions of Trivy should be vigilant for signs of infection. The presence of the CanisterWorm indicates that systems may have been compromised, leading to potential data theft or further exploitation. Additionally, the emergence of a new wiper malware capable of wiping entire Kubernetes clusters is particularly alarming.

This wiper malware operates by identifying Iranian systems and executing destructive commands, while non-Iranian nodes receive the CanisterWorm backdoor. The rapid execution of these attacks within a short time frame showcases the attackers' efficiency and planning. It's crucial for organizations to assess their use of Trivy and monitor for any unusual activity in their environments.

How to Protect Yourself

To mitigate risks stemming from this attack, organizations should take immediate action. First, review the use of Trivy in CI/CD pipelines and avoid using the compromised versions. It's essential to treat any recent executions of these versions as potentially compromised.

Furthermore, organizations should enhance their security posture by implementing strict access controls and monitoring for any unauthorized changes in their repositories. Regular audits of service accounts and their permissions can help prevent similar incidents in the future. This breach serves as a stark reminder of the vulnerabilities inherent in supply chain processes and the need for robust security measures.