Article 76TST CAI cloud worm gives competitors' malware the boot, then steals secrets and mines for coin

CAI cloud worm gives competitors' malware the boot, then steals secrets and mines for coin

by
from www.theregister.com - Articles on (#76TST)
Story ImageEXCLUSIVE There's no honor among thieves as a new worm steals from other infectious software. It pilfers multiple" victims' credentials and mines for cryptocurrency while killing competitors' processes, including similar secret-harvesting malware. It's called Cloud AI Infrastructure Attack Framework (CAI), and it's a centralized botnet that targets cloud-native developer tools like Docker, Kubernetes, Redis, etcd, Kubelet, and Ray for credential theft and cryptomining. The scripts are heavily inspired" by the likes of other similar credential-stealing worms that have wreaked havoc across cloud environments and supply chains this year, using code comments like PCPJack-aligned,'" according to security researcher Michael R. CAI explicitly seeks out and kills TeamPCP and PCPJack processes, to further monopolize on compromised targets," he posted on X. TeamPCP is the malware-developing crew behind the mini Shai-Hulud, Miasma, and Canister worms that have been poisoning open source registries and harvesting cloud access tokens, credentials, API keys, and other sensitive data since the Trivy supply-chain attack earlier this year. And PCPJack is a newer secret-stealing copycat worm that not only nabs credentials, but also deletes TeamPCP artifacts to kick that competitor out of victims' cloud infrastructure. CAI seems to have taken lessons from both. CAI is a constantly evolving framework meant to rival toolkits utilized by TeamPCP and PCPJack," Hunt.io threat researcher Michael Rippey told The Register. Hunt.io's team was the first to spot CAI on June 15, when it observed the first of three open directories via the security shop's web-scanning engine, AttackCapture, that were linked to the operator. Over three weeks, the operator moved from testing worm code mimicking TTPs used by PCPJack, to full production, deployment and compromise of networks," Rippey said. The codebase shows signs of LLM-assisted development, reflecting a deliberate progression of someone studying what works to build a competitive platform." While the malware isn't overly sophisticated," it is effective, with recent command-and-control logs confirming active exploitation attempts, with wallet activity confirming multiple successful compromises," Rippey said. CAI's framework consists of a scanning engine [that] feeds targets into automated exploit queues, with centralized C2 control coordinating attacks across cloud infrastructure with an emphasis on Docker, Redis, etcd, Kubelet, and more," he added. Currently, compromised hosts receive miners, credential stealers, and a Python backdoor," Rippey said. CAI's emergence alongside TeamPCP and PCPJack indicates a growing number of competing threat actors targeting each other and cloud infrastructure." Defenders and developers alike should take note, as we've already seen the damage that these new-ish cloud worms leave in their wake as they burrow across supply chains. Plus, it's unlikely that this will be the last of the miscreants seeking to monetize companies' cloud infrastructure and developers' secrets.(R)
External Content
Source RSS or Atom Feed
Feed Location http://www.theregister.co.uk/headlines.atom
Feed Title www.theregister.com - Articles
Feed Link https://www.theregister.com/
Reply 0 comments