CP
cyberpings
Threat IntelHIGH

Threat Intel - Trivy Supply-Chain Attack Expands to Docker

BCBleepingComputer
TeamPCPAqua SecurityTrivyDockerGitHub
🎯

Basically, hackers are using a tool called Trivy to spread malware through Docker and GitHub.

Quick Summary

Aqua Security faces a severe supply-chain attack from TeamPCP, compromising Docker and GitHub repositories. This breach threatens software integrity and user security. Aqua is working on remediation and updates.

The Threat

The recent supply-chain attack targeting Aqua Security has escalated, with the TeamPCP hackers now compromising both Docker and GitHub repositories. Initially, they infiltrated Aqua Security's GitHub organization, allowing them to tamper with the Trivy scanner, a popular tool for detecting vulnerabilities. This attack has now spread to Docker Hub, where malicious images were uploaded, potentially impacting countless users who rely on this tool for security.

The hackers exploited weaknesses in Aqua Security's GitHub setup. They gained access to the organization's repositories and injected malicious code into Trivy, which is widely used in software development. The implications of this attack are significant, as it not only affects Aqua Security but also poses a risk to any organization that utilizes Trivy in their CI/CD pipelines.

Who's Behind It

The attackers, known as TeamPCP, have a history of targeting software supply chains. Their latest actions reveal a sophisticated understanding of GitHub's infrastructure and how to exploit it. By compromising a service account with elevated privileges, they were able to execute unauthorized changes across multiple repositories in a matter of minutes.

This breach is particularly concerning because it highlights a failure in security protocols. Aqua Security's incident response revealed that previous containment measures were insufficient, allowing the attackers to regain access after initial remediation efforts. The rapid execution of their attack demonstrates the urgency for companies to reassess their security measures surrounding service accounts and token management.

Tactics & Techniques

TeamPCP's approach involved using a credential-harvesting malware known as the TeamPCP Cloud stealer. This malware collects sensitive information, including GitHub tokens and cloud credentials, from CI runners. The attackers leveraged a Personal Access Token (PAT) from a service account that lacked multi-factor authentication, which allowed them to bypass security measures easily.

Their tactics also included modifying repository descriptions to indicate ownership, showcasing their control over Aqua Security's assets. This level of manipulation not only disrupts operations but also undermines trust in the affected tools and platforms. Organizations must be vigilant about monitoring for unauthorized changes and access to their repositories.

Defensive Measures

To mitigate the risks posed by this attack, Aqua Security has taken steps to publish safe versions of Trivy and engage with incident response teams for further investigation. They have also provided indicators of compromise to assist other organizations in identifying potential impacts from this breach.

For companies using Trivy or similar tools, it is crucial to implement stricter access controls and regularly audit service accounts. Additionally, employing multi-factor authentication for all accounts, especially those with elevated privileges, can significantly reduce the risk of unauthorized access. Continuous monitoring and rapid response capabilities will be key in defending against future supply-chain attacks.

🔒 Pro insight: The TeamPCP breach underscores the critical need for robust token management and access controls in CI/CD environments.

Original article from

BleepingComputer · Bill Toulas

Read Full Article

Share

Related Pings

HIGHThreat Intel

Threat Intel - Routers Now Top Cyber Risk Vector Revealed

Forescout's latest report reveals routers have become the top cyber risk for enterprises, overtaking PCs. This shift poses a significant threat as organizations struggle to secure their network infrastructure. With many devices lacking proper monitoring, the risk of exploitation is rising. Companies must adapt their security strategies to address this evolving landscape.

IT Security Guru·
HIGHThreat Intel

Tycoon2FA - Phishing Service Resumes Activity After Takedown

Tycoon2FA, a notorious phishing platform, has resumed its operations after a recent takedown. This resurgence threatens users as it bypasses MFA using advanced techniques. Organizations must remain vigilant to protect their data from this evolving threat.

Infosecurity Magazine·
HIGHThreat Intel

Threat Intel - Libyan Oil Refinery Targeted by AsyncRAT Attack

A coordinated espionage campaign has struck a Libyan oil refinery and telecom organization. Using AsyncRAT, attackers have raised serious concerns about the security of Libya's critical infrastructure. With the energy sector's significance rising, this incident highlights the need for enhanced cybersecurity measures.

Cyber Security News·
HIGHThreat Intel

Threat Intel - Faster Attacks and Recovery Denial Ransomware

Mandiant's latest report reveals a shift in ransomware tactics and faster cyberattacks. Organizations must adapt to these evolving threats to protect their recovery systems. The implications are significant, as attackers increasingly target critical infrastructure.

CSO Online·
HIGHThreat Intel

Phishing Campaign - Attackers Target Multiple Sectors

A phishing campaign is targeting critical sectors like healthcare and education with fake copyright notices. This poses a serious risk of data breaches. Organizations must act quickly to safeguard sensitive information.

Dark Reading·
HIGHThreat Intel

High-Tech Sector - Overtakes Finance as Cyber Attack Target

In a surprising turn, the high-tech sector has become the top target for cyber-attacks in 2025, surpassing finance. This shift raises concerns for tech companies and their data security. Mandiant's report highlights the need for enhanced cybersecurity measures across industries.

Infosecurity Magazine·